search

drduh / YubiKey-Guide

Guide to using YubiKey for GnuPG and SSH
http://drduh.github.io/YubiKey-Guide/
MIT License
11.19k stars 1.19k forks source link

Best way to trigger prompt for pin? #89

Closed cboettig closed 5 years ago

cboettig commented 5 years ago

Thanks to this guide, I am now using my yubikey-based GPG credentials for encryption, signing and ssh. I've noticed that inserting the Yubikey and attempting to ssh does not trigger gpg-agent to prompt me for a pin though. Explicitly gpg-based operations like decryption do prompt me, so I have resulted to doing gpg -d dummy.gpg after inserting the card in order to get the pin prompt (which gpg agent then caches for the configured amount of time).

Thanks!

moonmeister commented 5 years ago 
# add alias for ssh to update the tty
alias ssh="gpg-connect-agent updatestartuptty /bye >/dev/null; ssh"

add this to your .bashrc or something else that get's loaded on login (mac/linux), windows would be different.

Just makes sure everything is connected and happy to make it more consistent.

cboettig commented 5 years ago

nice suggestion. (Would need a few tweaks in my case as it's usually a git push or mosh or other command that is just going to ssh under the hood, rather than a literal ssh.) Good to know that gpg-connect-agent updatestartuptty /bye is the appropriate way to trigger this, I may at least alias that to something like

alias gpg-unlock="gpg-connect-agent updatestartuptty /bye"
cboettig commented 5 years ago

hmm... gpg-connect-agent updatestartuptty /bye reports "OK" without prompting me for a pin to unlock, and seems the card is still locked. For the moment I've aliased alias gpg-unlock="gpg -d dummy.gpg &> /dev/null" but obviously this feels very hack-y.

moonmeister commented 5 years ago

@cboettig gpg-connect-agent won't prompt for pin, it just makes sure the gpg agent is working and the current terminal is targeted by your pinentry. ssh/git//mosh etc when they try and use the gpg-agent for ssh the pinentry will get triggered.

netflash commented 5 years ago

another option is to add this two lines to a .bash_profile

GPG_TTY=$(tty)
export GPG_TTY
moonmeister commented 5 years ago

@netflash also works, i do both.

cboettig commented 5 years ago

Thanks @netflash, I have that in my bash profile (as per this guide): 

export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

but I'm still not prompted to for my pin on ssh calls, only on gpg decrypt or sign calls. Not sure why or what I've missed.

netflash commented 5 years ago

if you run ssh-add -l do you see a key with the cardno in a comment section?

cboettig commented 5 years ago

@netflash yes, ssh-add -l shows my key with the correct cardno in the comment section.

netflash commented 5 years ago

well... the output of ssh -vvvv would help

drduh commented 5 years ago

Please send a PR if you figure it out and can explain it to others in the guide.

SamMorrowDrums commented 3 years ago

If other's are having same issue as me - it goes incredibly slow and eventually just says sign_and_send_pubkey: signing failed for RSA "/home/xxxx/.ssh/id_rsa_yubikey.pub" from agent: agent refused operation

cboettig commented 3 years ago

@SamMorrowDrums never found a really nice solution to this, every now and then I just don't get prompted to unlock, particularly on ssh-based tasks. My workaround has been to just make a dummy decryption call, gpg -d somefile.gpg which usually prompts me for a pin whenever the card is locked, and then I can repeat my ssh-based command again.

On rare cases I'm told to 'insert key with id XXX' and I have to remove and re-insert the yubikey, I believe this is due to switching between yubikey GPG functions vs the other built-in functions (like yubico authenticator app for those apps that still don't support U2F)

ravron commented 3 years ago

Also, is there a more generic way to ping the opengpg card to prompt me for a pin, rather than running a dummy decryption or signing request?

I can at least answer this. Try:

$ gpg-connect-agent 'scd serialno' /bye

to get your card's serial number. Then:

$ gpg-connect-agent 'scd checkpin <serial>' /bye

putting your card's serial number instead of <serial>. This should prompt for your card's PIN if needed. The serial number shouldn't change, so you can create a shell alias if you like.

hewers commented 2 years ago 
SERIAL=$(gpg-connect-agent 'scd serialno' /bye | head -n 1 | cut -f3 -d' ')
gpg-connect-agent "scd checkpin $SERIAL" /bye
AuxiliumEngineer commented 1 year ago

In case anyone still needs a solution for this annoying behaviour, it may be the following: Even with export GPG_TTY=$(tty) in your shells startup files, gpg still does not know where to display the pin-entry. But if you invoke echo "UPDATESTARTUPTTY" | gpg-connect-agent > /dev/null 2>&1 and try again, you will be prompted for your pin like expected.

So if your shell startup looks something like this:

export GNUPGHOME="${HOME}/.gnupg" 
export PINENTRY_USER_DATA="USE_CURSES=1" # not relevant to the problem
export GPG_TTY="$(tty)"

export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) # like in the guide
gpgconf --launch gpg-agent # like in the guide

echo "UPDATESTARTUPTTY" | gpg-connect-agent > /dev/null 2>&1

you should be able to use ssh without any of the workarounds above. This is tested twice under macOS 13.3.1. Let me know if this helped you.

msm-code commented 1 year ago

I had multiple problems with configuring that - I use tmux and TTYs got mixed all the time for some reason.

But @auroraunit217 response got me on the right track, and I fixed my problem by changing pinentry flavour to qt.

Not sure how to do this in vanilla config, In nixos that's:

services.gpg-agent.pinentryFlavor = "qt";

By the way, a commend that may help y'all with debugging is journalctl -fan100.

chinnaxs commented 2 months ago

If anyone uses zsh in combination with powerlevel10k. The outlined solution:

export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
gpg-connect-agent updatestartuptty /bye > /dev/null

does not work for me as export GPG_TTY="$(tty)" resolved into not a tty due different initialization behaviour

powerlevel10k offers the $TTY env var to get the same output. (Not sure how it is withouth powerlevel10k) What I used instead:

export GPG_TTY=$TTY 
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) 
gpgconf --launch gpg-agent 
gpg-connect-agent updatestartuptty /bye > /dev/null