pyratelog

personal blog
git clone git://git.pyratebeard.net/pyratelog.git
Log | Files | Refs | README
commit 71f4904b57e5435183426e621f1c531bdb6cdb28
parent ae9c3b39f4366e4fb5c09dd41229035f4eb8609d
Author: pyratebeard <root@pyratebeard.net>
Date:   Thu,  1 Dec 2022 20:30:10 +0000

where_the_sshadows_lie

Diffstat:

Mentry/where_the_sshadows_lie.md | 49+++++++++++++++++++++++++++++++++----------------


1 file changed, 33 insertions(+), 16 deletions(-)

diff --git a/entry/where_the_sshadows_lie.md b/entry/where_the_sshadows_lie.md
@@ -16,34 +16,51 @@ To get an idea of how others work I put out [a poll](TK){target="_blank" rel="no
 
 It surprised me that an equal number of people use one key per device as those that use one key for all.
 
-Maybe using one key isn't such a bad idea.  Of course this changes my threat model.  If any of my devices are compromised I would have to replace the key on all of them.
+Maybe using one key isn't such a bad idea.  Of course this changes my threat model.  If any of my devices are compromised I would have to replace the key on all of them.  There has to be a secure way of achieving this.
 
 When a GPG key is loaded into your keyring you don't have to keep the private key.  With SSH keys there is no keyring, `ssh` uses the private key file when connecting.  There is of course `ssh-agent` which can load the key in memory, but the private key still has to be read after a reboot.  The key will still need a passphrase to be used, just like using your GPG key still requires a passphrase, but something about having the GPG key in a keybox file seems more secure than the SSH key "just lying around".
 
-As it turns out you can add an SSH key as a subkey to a GPG key, then `gpg-agent` will provide the authentication instead of `ssh-agent`, and more importantly you can delete you SSH private key.
+As it turns out you can add an SSH key as a subkey to a GPG key, then `gpg-agent` will provide the authentication instead of `ssh-agent`, and more importantly you don't need a SSH private key file.
 
-To add your SSH key as a subkey edit your GPG key in expert mode
+At first I attempted to add my existing SSH key to my GPG key, but hit a few blocks and started down a rabbit hole.  Instead I opted to create a new SSH key.  This would mean I would have to push it out to everywhere I needed it, a small price for ease of setting up.
+
+It is a good idea to take a backup of your existing GPG key
+```
+gpg2 -a --export-secret-keys <key_id> > gpg-backup.asc
+```
+
+To generate a new SSH key incant
 ```
-gpg2 -a --export-secret-keys <key_id> > original_backup.asc
 gpg2 --quick-add-key <key_id> ed25519 auth 0
+```
+
+Now is a good time to take the new SSH public key and copy it everywhere you need it.  You could use a tool such as `drist` or do it manually.  I could not figure out how to do it with `ssh-copy-id`, if anybody knows how then please get in touch
+```
 gpg2 --export-ssh-key <key_id>
-# use drist to copy key every where
+```
+
+Next we can stop our `ssh-agent` and `gpg-agent`.  I use [keychain](TK) for managing my agents
+```
 keychain --agents ssh,gpg -k
+```
+
+We have to tell GPG which subkey to use for SSH, wedo this by taking the _keygrip_ and putting it into GPG's _sshcontrol_ file
+```
 gpg2 -k --with-keygrip <key_id>
-# get keygrip of ssh key
 echo <keygrip> >> ~/.gnupg/sshcontrol
-vi ~/.zsh/keychain.zsh
-	eval $(keychain -q --agents gpg --nogui --eval 0xC7877C715113A16D)
-	gpg-connect-agent updatestartuptty /bye >/dev/null
-	if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ] ; then
-		export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
-	fi
+```
+
+Now to start the `gpg-agent` back up, no `ssh-agent` required.  In my `zsh` config I modified the `keychain` command to remove the option to start `ssh-agent`.  I also added a `gpg-connect-agent` command to TK, then set the `SSH_AUTH_SOCK` variable
+```
+eval $(keychain -q --agents gpg --nogui --eval 0xC7877C715113A16D)
+gpg-connect-agent updatestartuptty /bye >/dev/null
+if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ] ; then
+	export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
+fi
+```
+```
 gpg2 -a --export-secret-keys <key_id> > gpg_with_ssh.asc
 ```
-https://opensource.com/article/19/4/gpg-subkeys-ssh-multiples
-https://gist.github.com/grenade/6318301?permalink_comment_id=3527964
-https://unix.stackexchange.com/questions/372879/import-my-ssh-key-as-gpg-sub-key-to-use-for-ssh-authentication
-https://www.linode.com/docs/guides/gpg-key-for-ssh-authentication/
 
 Going one step further took [me back](TK){target="_blank" rel="noreferrer"} to hardware keys such as the [Yubikey](TK){target="_blank" rel="noreferrer"}.