0 - OSx Mac GPG and SSH Authentication.md

OSx Mac GPG and SSH Authentication.md

Works on OSx Mojave!

1. Install latest Macgpg: https://gpgtools.org/
2. Create yourself a gpg key with auth subkey (https://www.linode.com/docs/security/authentication/gpg-key-for-ssh-authentication/)
3. Run gpg -K --with-keygrip and put the keyid of the auth key in ~/.gnupg/sshcontrol
4. Install the files below to these locations:
   • /usr/local/bin/start-gpg-agent.sh
   • ~/Library/LaunchAgents/gpg.agent.daemon.plist
5. Run sudo chmod +x /usr/local/bin/start-gpg-agent.sh
6. Run launchctl load -w ~/Library/LaunchAgents/gpg.agent.daemon.plist
7. Run gpg --export-ssh-key ::insert-your-keyid-here:: and distribute this to the servers you're connecting to (we key our pubkeys in ldap)
8. Remove any old ssh keys from your ~/.ssh/ directory
9. Restart your mac
10. Run ps -ef | grep gpg-agent and verify the gpg agent is running with the --enable-ssh-support option
11. Run ssh-add -L to see your pubkey

Enjoy!

Have a hardware key? Use ControlPlane to start/stop the gpg-agent on attach/detach of your smartcard. https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh

gpg.agent.daemon.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>gpg.agent.daemon</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/local/bin/start-gpg-agent.sh</string>
	</array>
	<key>LimitLoadToSessionType</key>
	<string>Aqua</string>
	<key>RunAtLoad</key>
	<true/>
</dict>
</plist>

start-gpg-agent.sh

#!/bin/bash

killall gpg-agent
killall ssh-agent
/usr/local/MacGPG2/bin/gpg-agent --enable-ssh-support --daemon
ln -sf $HOME/.gnupg/S.gpg-agent.ssh $SSH_AUTH_SOCK