Merge pull request #127 from vorburger/patch-3

simplify Agent Forwarding (RemoteForward typically not required)
This commit is contained in:
drduh 2019-09-17 01:20:55 +00:00 committed by GitHub
commit 877a4a7e99
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 12 deletions

View File

@ -1699,6 +1699,23 @@ To use YubiKey to sign a git commit on a remote host, or ssh through another net
To do this, you need access to the remote machine and the YubiKey has to be set up on the host machine. To do this, you need access to the remote machine and the YubiKey has to be set up on the host machine.
On the remote machine, edit `/etc/ssh/sshd_config` to set `StreamLocalBindUnlink yes`
**Optional** If you do not have root access to the remote machine to edit `/etc/ssh/sshd_config`, you will need to remove the socket on the remote machine before forwarding works. For example, `rm /run/user/1000/gnupg/S.gpg-agent`. Further information can be found on the [AgentForwarding GNUPG wiki page](https://wiki.gnupg.org/AgentForwarding).
Import public keys to the remote machine. This can be done by fetching from a keyserver. On the local machine, copy the public keyring to the remote machine:
```console
$ scp ~/.gnupg/pubring.kbx remote:~/.gnupg/
```
You should now be able use `ssh -A remote` on the _local_ machine to log into _remote_, and should then be able to use YubiKey as if it were connected to the remote machine. For example, using e.g. `ssh-add -l` on that remote machine should show the public key from the YubiKey (note `cardno:`). (If you don't want to have to remember to use `ssh -A`, you can use `ForwardAgent yes` in `~/.ssh/config`. As a security best practice, always use `ForwardAgent yes` only for a single `Hostname`, never for all servers.)
On modern distributions, such as Fedora 30, there is typically no need to also set `RemoteForward` in `~/.ssh/config` as detailed in the next chapter, because the right thing actually happens automatically.
### Steps for older distributions
On the local machine, run: On the local machine, run:
```console ```console
@ -1715,16 +1732,6 @@ $ gpgconf --list-dirs agent-socket
This should return a path such as `/run/user/1000/gnupg/S.gpg-agent` This should return a path such as `/run/user/1000/gnupg/S.gpg-agent`
On the remote machine, edit `/etc/ssh/sshd_config` to set `StreamLocalBindUnlink yes`
**Optional** If you do not have root access to the remote machine to edit `/etc/ssh/sshd_config`, you will need to remove the socket on the remote machine before forwarding works. For example, `rm /run/user/1000/gnupg/S.gpg-agent`. Further information can be found on the [AgentForwarding GNUPG wiki page](https://wiki.gnupg.org/AgentForwarding).
Import public keys to the remote machine. This can be done by fetching from a keyserver. On the local machine, copy the public keyring to the remote machine:
```console
$ scp ~/.gnupg/pubring.kbx remote:~/.gnupg/
```
Finally, enable agent forwarding for a given machine by adding the following to the local machine's ssh config file `~/.ssh/config` (your agent sockets may be different): Finally, enable agent forwarding for a given machine by adding the following to the local machine's ssh config file `~/.ssh/config` (your agent sockets may be different):
``` ```
@ -1735,8 +1742,6 @@ Host
# RemoteForward [remote socket] [local socket] # RemoteForward [remote socket] [local socket]
``` ```
You should then be able to use YubiKey as if it were connected to the remote machine.
If you're still having problems, it may be necessary to edit `gpg-agent.conf` file on both the remote and local machines to add the following information: If you're still having problems, it may be necessary to edit `gpg-agent.conf` file on both the remote and local machines to add the following information:
``` ```