pyratelog

personal blog
git clone git://git.pyratebeard.net/pyratelog.git
Log | Files | Refs | README

commit 71f4904b57e5435183426e621f1c531bdb6cdb28
parent ae9c3b39f4366e4fb5c09dd41229035f4eb8609d
Author: pyratebeard <root@pyratebeard.net>
Date:   Thu,  1 Dec 2022 20:30:10 +0000

where_the_sshadows_lie

Diffstat:
Mentry/where_the_sshadows_lie.md | 49+++++++++++++++++++++++++++++++++----------------
1 file changed, 33 insertions(+), 16 deletions(-)

diff --git a/entry/where_the_sshadows_lie.md b/entry/where_the_sshadows_lie.md @@ -16,34 +16,51 @@ To get an idea of how others work I put out [a poll](TK){target="_blank" rel="no It surprised me that an equal number of people use one key per device as those that use one key for all. -Maybe using one key isn't such a bad idea. Of course this changes my threat model. If any of my devices are compromised I would have to replace the key on all of them. +Maybe using one key isn't such a bad idea. Of course this changes my threat model. If any of my devices are compromised I would have to replace the key on all of them. There has to be a secure way of achieving this. When a GPG key is loaded into your keyring you don't have to keep the private key. With SSH keys there is no keyring, `ssh` uses the private key file when connecting. There is of course `ssh-agent` which can load the key in memory, but the private key still has to be read after a reboot. The key will still need a passphrase to be used, just like using your GPG key still requires a passphrase, but something about having the GPG key in a keybox file seems more secure than the SSH key "just lying around". -As it turns out you can add an SSH key as a subkey to a GPG key, then `gpg-agent` will provide the authentication instead of `ssh-agent`, and more importantly you can delete you SSH private key. +As it turns out you can add an SSH key as a subkey to a GPG key, then `gpg-agent` will provide the authentication instead of `ssh-agent`, and more importantly you don't need a SSH private key file. -To add your SSH key as a subkey edit your GPG key in expert mode +At first I attempted to add my existing SSH key to my GPG key, but hit a few blocks and started down a rabbit hole. Instead I opted to create a new SSH key. This would mean I would have to push it out to everywhere I needed it, a small price for ease of setting up. + +It is a good idea to take a backup of your existing GPG key +``` +gpg2 -a --export-secret-keys <key_id> > gpg-backup.asc +``` + +To generate a new SSH key incant ``` -gpg2 -a --export-secret-keys <key_id> > original_backup.asc gpg2 --quick-add-key <key_id> ed25519 auth 0 +``` + +Now is a good time to take the new SSH public key and copy it everywhere you need it. You could use a tool such as `drist` or do it manually. I could not figure out how to do it with `ssh-copy-id`, if anybody knows how then please get in touch +``` gpg2 --export-ssh-key <key_id> -# use drist to copy key every where +``` + +Next we can stop our `ssh-agent` and `gpg-agent`. I use [keychain](TK) for managing my agents +``` keychain --agents ssh,gpg -k +``` + +We have to tell GPG which subkey to use for SSH, wedo this by taking the _keygrip_ and putting it into GPG's _sshcontrol_ file +``` gpg2 -k --with-keygrip <key_id> -# get keygrip of ssh key echo <keygrip> >> ~/.gnupg/sshcontrol -vi ~/.zsh/keychain.zsh - eval $(keychain -q --agents gpg --nogui --eval 0xC7877C715113A16D) - gpg-connect-agent updatestartuptty /bye >/dev/null - if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ] ; then - export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" - fi +``` + +Now to start the `gpg-agent` back up, no `ssh-agent` required. In my `zsh` config I modified the `keychain` command to remove the option to start `ssh-agent`. I also added a `gpg-connect-agent` command to TK, then set the `SSH_AUTH_SOCK` variable +``` +eval $(keychain -q --agents gpg --nogui --eval 0xC7877C715113A16D) +gpg-connect-agent updatestartuptty /bye >/dev/null +if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ] ; then + export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" +fi +``` +``` gpg2 -a --export-secret-keys <key_id> > gpg_with_ssh.asc ``` -https://opensource.com/article/19/4/gpg-subkeys-ssh-multiples -https://gist.github.com/grenade/6318301?permalink_comment_id=3527964 -https://unix.stackexchange.com/questions/372879/import-my-ssh-key-as-gpg-sub-key-to-use-for-ssh-authentication -https://www.linode.com/docs/guides/gpg-key-for-ssh-authentication/ Going one step further took [me back](TK){target="_blank" rel="noreferrer"} to hardware keys such as the [Yubikey](TK){target="_blank" rel="noreferrer"}.