SSH¶
Compatible Nitrokeys |
|||||||
---|---|---|---|---|---|---|---|
✓ active |
⨯ inactive |
⨯ inactive |
✓ active |
⨯ inactive |
✓ active |
✓ active |
⨯ inactive |
This guide explains how to prepare your SSH server and client for use with the Nitrokey. For configuring PuTTY, see this guide:
The Nitrokey should already have PGP keys installed and the local GnuPG keyring should know the keys.
Preparation on client¶
Make sure ~/.gnupg/gpg.conf contains ‘use-agent’
Add ssh support to gnupg-agent by adding ‘enable-ssh-support’ to ~/.gnupg/gpg-agent.conf
If the file does not exist yet, you can just create it.
Add the following code somewhere into your ~/.bashrc (for fish shell, look here)
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
Simply restart your system or try
pkill gpg-agent
and open a new commandline to make sure everything is setIn case of problems, please try
gpg2 --card-status
on first usage to make sure the gpg-agent gets started
Preparation for the server¶
You can generate an authorized_keys file by running either
gpg2 --export-ssh-key keyID >> ~/authorized_keys
where
keyID
is the subkey id being used for authentication on your Nitrokey. The Nitrokey must already be known to the local GnuPG keyring. You can now append that file to a remote server’s authorized_keys and when you ssh to the server you’ll be asked for a pin rather than a passphrase.
Troubleshooting¶
If you are still being asked for a password please make sure that
echo $SSH_AUTH_SOCK
returns something like ‘/run/user/1000/gnupg/S.gpg-agent.ssh’ or ‘/home/username/.gnupg/.S.gpg-agent.ssh’. Unfortunately there were some changes in GnuPG in the past so that the actual content can differ from system and GnuPG version. On some systems there may are even multiple folders in this variable saved. You have to adapt the above given code in .bashrc so that the variable SSH_AUTH_SOCK is correct. In doubt look for ‘SSH_AUTH_SOCK’ in
man gpg-agent
to find the actual code for your version/system.
You may check if you have a ‘pinentry’ program installed via your package manager. You may need to set it in the gpg-agent.conf as well. You may need to point gpg-agent to the correct TTY.