Securing SSH with GnuPG

4 Apr

I recently deleted all of my SSH private keys (which felt strange!), turning to GnuPG based authentication with the Yubikey instead.

On a Ubuntu 14.04 installation (one of my development platforms) I needed to take the following steps to make this work. For a more modern release, parts of this information is probably redundant, I’ll make corrections as I install Debian Jessie on another server.

Disable the GPG and SSH components of the gnome-keyring-daemon

The gnome-keyring-daemon will interfere with the smartcard operation unless its GPG and SSH capabilities are disabled.

As root, create a wrapper around the binary:

$ cp -p /usr/bin/gnome-keyring-daemon /usr/bin/gnome-keyring-daemon-wrapped
$ echo '#!/bin/sh' > /usr/bin/gnome-keyring-daemon
$ echo "exec /usr/bin/gnome-keyring-daemon-wrapped --components=pkcs11,secrets \"$@\"" >> /usr/bin/gnome-keyring-daemon
$ chmod +x /usr/bin/gnome-keyring-daemon

Also the autostart scripts to turn off autostart for GPG and SSH components (not sure this is needed with the above wrapper):

$ cp /etc/xdg/autostart/gnome-keyring-gpg.desktop ~/.config/autostart
$ cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart
$ echo "X-GNOME-Autostart-enabled=false" >> ~/.config/autostart/gnome-keyring-gpg.desktop
$ echo "X-GNOME-Autostart-enabled=false" >> ~/.config/autostart/gnome-keyring-ssh.desktop

Enable SSH support in the gpg-agent

This version of Ubuntu does not seem to handle the “enable-ssh-support” directive in $HOME/.gnupg/gpg-agent.conf so we need to add this option to the actual start scripts.

Simply add –enable-ssh-support just after the –daemon –sh arguments in /etc/X11/Xsession.d/90gpg-agent.

The /usr/share/upstart/sessions/gpg-agent.conf file will need the same argument, but also needs the inclusion of a PID_FILE, so change the pre-start clause to:

pre-start script
GNUPGHOME=$HOME/.gnupg
PID_FILE="$GNUPGHOME/gpg-agent-info-$(hostname)"
[ -d $GNUPGHOME ] || { stop; exit 0; }

grep -qs '^[[:space:]]*use-agent' "$GNUPGHOME/gpg.conf" "$GNUPGHOME/options"
|| { stop; exit 0; }
eval "$(gpg-agent --daemon --sh --enable-ssh-support --write-env-file=$PID_F
ILE)" >/dev/null
initctl set-env --global GPG_AGENT_INFO=$GPG_AGENT_INFO
end script

Disable the SSH agent

As the gpg-agent will assume the role of the ssh-agent, we should disable the lattter. Simply remove the line use-ssh-agent from /etc/X11/Xsession.options!

Change $HOME/.gnupg/gpg.conf to indicate the use of the GnuPG agent:

use-agent

The enable-ssh-support in $HOME/.gnupg/gpg-agent.conf seems to be ignored, but let’s add it for good measure:

enable-ssh-support

Finally, make the following addition to $HOME/.bashrc to make sure that the GnuPG agent environment variables are used:

. $HOME/.gnupg/gpg-agent-info-$(hostname)
export GPG_AGENT_INFO SSH_AUTH_SOCK SSH_AGENT_PID

Now logout and login again – you should now have SSH support in GnuPG!

This information was compiled using the great information in: