Note: This assumes that you have already generated your GPG keys (i.e., offline master key + subkeys) and have them in your Yubikey.
Recently, I switched from Arch Linux to Fedora 27 on the hosts that I use daily (my workstation, my "primary" laptop, and a "secondary" laptop). As best as I can recall, here are all of the steps I had to do in order to get things working in addition to some notes ("quoted") that I made at the time.
FWIW, this is greatly "summarized" but I think I've included most of the important bits. It's very possible that I've left out some pieces, though, so feel free to let me know if I've missed something.
getting ONLY gpg-agent (w/ ssh-agent support) to run -- with an instance of ssh-agent also being launched -- was a major pain in the ass! after some digging under
/etc/X11/
i figured out a workaround... if we simply set the value of$SSH_AUTH_SOCK
, the test that ends up setting the$SSH_AGENT
variable will get skipped and a separate ssh agent will not get started (cf. end of/etc/X11/xinit/xinitrc-common
).
XFCE apparently starts up its own instance of ssh-agent when a new session is created (i.e., when you log in). I wanted to get rid of that to avoid any conflicts or issues.
The recommended solution in the XFCE documentation didn't seem to completely address the issue. See also XFCE bug #11533: "xfce4-session starts gpg-agent".
I ended up also creating /etc/X11/xinit/xinitrc.d/99-disable-ssh-agent.sh
:
$ cat 99-disable-ssh-agent.sh
#!/bin/sh
# If $SSH_AGENT, $SSH_AUTH_SOCK, and $SSH_AGENT_PID are all unset, then
# "ssh-agent" will get launched whether we fucking want it or not (hint:
# we don't). See the tests at the end of /etc/X11/xinit/xinitrc-common.
# Here, we set $SSH_AUTH_SOCK so that this test fails and "ssh-agent"
# will not be started. We're using "gpg-agent" instead, so we simply set
# the variable to point to the location where it will be creating (here
# shortly) its own socket: /run/user/$(id -u)/gnupg/S.gpg-agent.ssh.
export SSH_AUTH_SOCK="/run/user/$(id -u)/gnupg/S.gpg-agent.ssh"
$ sudo chmod 0755 /etc/X11/xinit/xinitrc.d/99-disable-ssh-agent.sh
$ sudo chcon -u system_u /etc/X11/xinit/xinitrc.d/99-disable-ssh-agent.sh
These last two commands might not be necessary but are included for posterity.
You'll want to create a configuration file for gpg-agent
. Here's what mine looks like:
$ cat ~/.gnupg/gpg-agent.conf
default-cache-ttl 3600
default-cache-ttl-ssh 7200
enable-ssh-support
max-cache-ttl 3600
max-cache-ttl-ssh 7200
Likewise, you'll probably want to create ~/.gnupg/gpg.conf
. Relevant pieces from mine:
default-key 0x7A589B9E077BA949
use-agent
Note: If you actually use GPG, see also OpenPGP Best Practices for some additional configuration options you'll want to set.
I also created a few "autostart overrides" to prevent various gnome-keyring
components from starting up -- even though, in my case, they shouldn't get started anyways. You may or may not need them (and they won't hurt anything if you don't). They all have the exact same contents:
$ cd ~/.config/autostart
$ ls gnome-keyring-*.desktop
gnome-keyring-pkcs11.desktop gnome-keyring-secrets.desktop gnome-keyring-ssh.desktop
$ sha256sum gnome-keyring-*.desktop
0cc7acc5713c833831d4df2a8ac814550e29e0ad7a15e7872152add712aa0c36 gnome-keyring-pkcs11.desktop
0cc7acc5713c833831d4df2a8ac814550e29e0ad7a15e7872152add712aa0c36 gnome-keyring-secrets.desktop
0cc7acc5713c833831d4df2a8ac814550e29e0ad7a15e7872152add712aa0c36 gnome-keyring-ssh.desktop
$ cat gnome-keyring-secrets.desktop
[Desktop Entry]
Hidden=true
X-GNOME-Autostart-enabled=false
logged out and restarted, verified no "ssh-agent" processes were running!
There's also a few things to do that are taken care of in your shell's startup/initialization files. The relevant stuff:
# gpg-agent needs to know which tty we're connected to (for pinentry)
if which gpg-agent > /dev/null 2>&1; then
export GPG_TTY=$(tty)
fi
...
# refresh "gpg-agent" tty
if [[ -n $GPG_TTY ]]; then
if which gpg-connect-agent > /dev/null 2>&1; then
gpg-connect-agent updatestartuptty /bye > /dev/null 2>&1
fi
fi
gpg2 --card-status
was successful,ssh-add -l
showed the ssh key on the yubikey, and "ssh REDACTED" was successful after being asked for and inputting the pin! yay!
Additionally, I've done the following:
-
Run
gpg --export-ssh-key <KEYID>
and put the output into~/.ssh/other_keys/KEYID.pub
. -
At the end of my
~/.ssh/config
file, in the "global"Host *
section, I've put the following (amongst other options):
Host *
...
IdentitiesOnly yes
IdentityFile ~/.ssh/other_keys/KEYID.pub
...
- Point to a graphical application that prompts you for your PIN, when needed. For example:
export SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass