GPG-Agent not recognising SSH keys
Jacques Kotze
jacques.kotze at gmail.com
Thu Jan 14 14:48:33 CET 2016
Hi Peter
Thanks for your comments and help.
Your guide highlighted a silly error where I had accidentally chopped some
of the trailing characters of the appropriate keygrip in sshcontrol (Doh!).
BTW I am using GnuPG 2.1.9
I can now successfully get the response to ssh-add -L as expected. Great!
I do have a problem with this setup still not working as expected i.e. I
have the exported pub key (from ssh-add -L) copied to the external servers
~/.ssh/authorized_keys.. but still being prompted for a user password upon
ssh'ing to the server.
Anything there I am perhaps missing?
Kind regards
Jacques
On 12 January 2016 at 18:37, Peter Lebbing <peter at digitalbrains.com> wrote:
> On 12/01/16 12:58, Jacques Kotze wrote:
> > Hi All,
>
> Hi,
>
> > First time post, so please excuse me if it is a ignorant noob question :)
>
> It's not an ignorant question, and even if it were, that wouldn't be a
> problem :).
>
> > $> unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
> > $> eval $(/usr/local/MacGPG2/bin/gpg-agent --daemon --enable-ssh-support)
>
> Which version of GnuPG are you using, by the way?
>
> > Ok.. so I am stumped. Any help appreciated :)
>
> Did it go something like this?
>
> I'm "quoting" the terminal interaction and writing comments in between.
> You can see I'm using GnuPG 2.1, but I think it should go the same for
> 2.0. There /is/ a difference with regard to the agent configuration,
> though, which is why I ask about your version above.
>
> > $ gpg2 --expert --edit-key DCDFDFA4
> > gpg (GnuPG) 2.1.10; Copyright (C) 2015 Free Software Foundation, Inc.
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.
> >
> > Secret key is available.
> >
> > sec rsa1024/DCDFDFA4
> > created: 2012-03-17 expires: 2016-01-13 usage: SC
> > trust: never validity: unknown
> > ssb rsa1024/77A3395A
> > created: 2012-03-17 expires: never usage: E
> > [ unknown] (1). Test Teststra (Koning van Wezel) <test at example.invalid>
> > [ unknown] (2) Test Teststra <test at work.invalid>
>
> This is a testkey. It doesn't have an authentication capable subkey yet,
> so let's add one (for that, we need --expert, hence my use of it).
>
> > gpg> addkey
> > Please select what kind of key you want:
> > (3) DSA (sign only)
> > (4) RSA (sign only)
> > (5) Elgamal (encrypt only)
> > (6) RSA (encrypt only)
> > (7) DSA (set your own capabilities)
> > (8) RSA (set your own capabilities)
> > (10) ECC (sign only)
> > (11) ECC (set your own capabilities)
> > (12) ECC (encrypt only)
> > (13) Existing key
> > Your selection? 8
> >
> > Possible actions for a RSA key: Sign Encrypt Authenticate
> > Current allowed actions: Sign Encrypt
> >
> > (S) Toggle the sign capability
> > (E) Toggle the encrypt capability
> > (A) Toggle the authenticate capability
> > (Q) Finished
> >
> > Your selection? =a
>
> I just noticed this possibility in a recent post by Werner to this
> list... I don't know if it's a new 2.1 feature, but instead of first
> toggling S and E, you can prepend an = to your A and presto, the key is
> for A only.
>
> > RSA keys may be between 1024 and 4096 bits long.
> > What keysize do you want? (2048)
> > Requested keysize is 2048 bits
> > Please specify how long the key should be valid.
> > 0 = key does not expire
> > <n> = key expires in n days
> > <n>w = key expires in n weeks
> > <n>m = key expires in n months
> > <n>y = key expires in n years
> > Key is valid for? (0)
> > Key does not expire at all
> > Is this correct? (y/N) y
> > Really create? (y/N) y
> > We need to generate a lot of random bytes. It is a good idea to perform
> > some other action (type on the keyboard, move the mouse, utilize the
> > disks) during the prime generation; this gives the random number
> > generator a better chance to gain enough entropy.
> >
> > sec rsa1024/DCDFDFA4
> > created: 2012-03-17 expires: 2016-01-13 usage: SC
> > trust: never validity: unknown
> > ssb rsa1024/77A3395A
> > created: 2012-03-17 expires: never usage: E
> > ssb rsa2048/38EF7410
> > created: 2016-01-12 expires: never usage: A
> > [ unknown] (1). Test Teststra (Koning van Wezel) <test at example.invalid>
> > [ unknown] (2) Test Teststra <test at work.invalid>
> >
> > gpg> Save changes? (y/N) y
>
> So now we need the keygrip for this new authentication subkey:
>
> > $ gpg2 --with-keygrip -k DCDFDFA4
> > pub rsa1024/DCDFDFA4 2012-03-17 [expires: 2016-01-13]
> > Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A
> > uid [ unknown] Test Teststra (Koning van Wezel)
> <test at example.invalid>
> > uid [ unknown] Test Teststra <test at work.invalid>
> > sub rsa1024/77A3395A 2012-03-17
> > Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D
> > sub rsa2048/38EF7410 2016-01-12
> > Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63
>
> The keygrip /follows/ the line with the short key ID; we need the
> keygrip for the key with ID 38EF7410, so it's the very last line. The
> other keygrips are for keys that don't have the authentication
> capability and are hence useless to add to sshcontrol.
>
> I used a screen editor, but let's pretend I used the command line... In
> fact, all further lines have been edited to hide my real SSH keys. It's
> probably overkill, but let's be cautious with what we broadcast on the
> internet.
>
> > $ cd .gnupg
> > $ echo '3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 0' >>sshcontrol
> > $ cat .gnupg/sshcontrol
> > # List of allowed ssh keys. Only keys present in this file are used
> > # in the SSH protocol. The ssh-add tool may add new entries to this
> > # file to enable them; you may also add them manually. Comment
> > # lines, like this one, as well as empty lines are ignored. Lines do
> > # have a certain length limit but this is not serious limitation as
> > # the format of the entries is fixed and checked by gpg-agent. A
> > # non-comment line starts with optional white spaces, followed by the
> > # keygrip of the key given as 40 hex digits, optionally followed by a
> > # the caching TTL in seconds and another optional field for arbitrary
> > # flags. Prepend the keygrip with an '!' mark to disable it.
> >
> > 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 0
>
> Now let's see if it's known:
>
> > $ ssh-add -L
> > ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAABAQC9V1hmvs5Gg8OqmtHDXfIAKA5Ji0z0+ib5m7DRjX/KXXZvOtwR8QOvsFxffJsXpmp1m7nL/gw+EcjbMDAbo+X05UWKiMwyVdinbnaupFDtk7Z+KBEAYLsvUml23jiBzitLbURC7wFrMTFPVzGY/5ZHw0LaWjSPuQxltjPTnMUcL4F4eyDD2TkmsxmAgNy5xMAjHmGdEaBnFent2hBTMETyeWKlP6glKT67eL2SQn5viHSXK6nVlXsyYsJBIhSPjAagPv1qRtkhinSJaKDUGWZ0vxMpNHscjG4DreWKlzew5UQcBBKleYPl7mSf1Z8UJnwLnYdC0OhjC1dMfyitByhV
> (none)
>
> \o/
>
> If you did it just like this, there's an issue in your setup, as it
> works for me. If you didn't do it like this, ... you probably should ;P.
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160114/99499ad1/attachment-0001.html>
More information about the Gnupg-users
mailing list