final draft

This commit is contained in:
Brice Gagnage 2018-12-04 15:11:13 +01:00
parent ee30767612
commit 86e03e6d09
No known key found for this signature in database
GPG Key ID: 9FC06E8BF8542D71
1 changed files with 8 additions and 10 deletions

View File

@ -1402,7 +1402,7 @@ enable-putty-support
- Enter `> gpg --card-status`, now you should see your Yubikey's details. - Enter `> gpg --card-status`, now you should see your Yubikey's details.
- Import your [public key](#export-public-key): `> gpg --import <path to public key file>` - Import your [public key](#export-public-key): `> gpg --import <path to public key file>`
- Trust it: [Trust master key](#trust-master-key) - Trust it: [Trust master key](#trust-master-key)
- Retrieve your public key's id: `gpg --list-public-keys` - Retrieve your public key's id: `> gpg --list-public-keys`
- Export the SSH key from GPG: `> gpg --export-ssh-key <your public key's id>` - Export the SSH key from GPG: `> gpg --export-ssh-key <your public key's id>`
Copy this key to a file for later use. It represents the public SSH key corresponding to the secret key on your YubiKey. You can upload this key to any server you wish to SSH into. Copy this key to a file for later use. It represents the public SSH key corresponding to the secret key on your YubiKey. You can upload this key to any server you wish to SSH into.
@ -1425,15 +1425,15 @@ The goal here is to make the SSH client inside WSL work together with the Window
- Download or clone [weasel-pageant](https://github.com/vuori/weasel-pageant). - Download or clone [weasel-pageant](https://github.com/vuori/weasel-pageant).
- Add `eval $(/mnt/c/<path of extraction>/weasel-pageant -r -a /tmp/S.weasel-pageant)` to your .bashrc or equivalent. - Add `eval $(/mnt/c/<path of extraction>/weasel-pageant -r -a /tmp/S.weasel-pageant)` to your .bashrc or equivalent.
**Note**: we use a named socket here so we can use it in the RemoteForward directive of the .ssh/config file. **Note**: we use a named socket here so we can use it in the RemoteForward directive of the .ssh/config file.
- Source it `. ~/.bashrc`. - Source it `$ . ~/.bashrc`.
- You should be able to see your SSH key with `ssh-add -l`. - You should be able to see your SSH key with `$ ssh-add -l`.
- Edit your `~/.ssh/config` file. - Edit your `~/.ssh/config` file.
- For each host you want to use agent forwarding, add: - For each host you want to use agent forwarding, add:
``` ```
ForwardAgent yes ForwardAgent yes
RemoteForward <remote ssh socket path> /tmp/S.weasel-pageant RemoteForward <remote ssh socket path> /tmp/S.weasel-pageant
``` ```
**Note**: the remote ssh socket path can be found by executing `gpgconf --list-dirs agent-ssh-socket` on the host. **Note**: the remote ssh socket path can be found by executing `$ gpgconf --list-dirs agent-ssh-socket` on the host.
### Remote host configuration ### Remote host configuration
- Add to your .bashrc or equivalent: - Add to your .bashrc or equivalent:
@ -1446,19 +1446,17 @@ export GPG_TTY=$(tty)
AllowAgentForwarding yes AllowAgentForwarding yes
StreamLocalBindUnlink yes StreamLocalBindUnlink yes
``` ```
- Reload the ssh daemon (e.g. `sudo service sshd reload`). - Reload the ssh daemon (e.g. `$ sudo service sshd reload`).
### Final test ### Final test
- Unplug your Yubikey, reboot. - Unplug your Yubikey, disconnect or reboot.
- Log back on Windows, open a WSL console and enter `ssh-add -l`, you should see nothing. - Log back on Windows, open a WSL console and enter `$ ssh-add -l`, you should see nothing.
- Plug your Yubikey, enter the same command, you should see your ssh key. - Plug your Yubikey, enter the same command, you should see your ssh key.
- Log in to your remote host, you should have the pinentry popup/window asking for your Yubikey pin. - Log in to your remote host, you should have the pinentry popup/window asking for your Yubikey pin.
- On your remote host, type `ssh-add -l`. If should see your ssh key, that means your forwarding works ! - On your remote host, type `$ ssh-add -l`. If you see your ssh key, that means your forwarding works !
**Note**: you can chain the agent forwarding through multiple hosts, you just have to follow the same [protocol](#remote-host-configuration) to configure each host. **Note**: you can chain the agent forwarding through multiple hosts, you just have to follow the same [protocol](#remote-host-configuration) to configure each host.
# Troubleshooting # Troubleshooting
- If you don't understand some option - read `man gpg`. - If you don't understand some option - read `man gpg`.