Skip to content

Instantly share code, notes, and snippets.

@jlgaddis

jlgaddis/yubikey_gpg-agent_fedora27.md

Last active April 8, 2022 01:09
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jlgaddis/c52d6dea9aab4fa7e184d78c354d3f4a to your computer and use it in GitHub Desktop.
Save jlgaddis/c52d6dea9aab4fa7e184d78c354d3f4a to your computer and use it in GitHub Desktop.
Download ZIP
Yubikey + gpg-agent on Fedora 27 (XFCE)
Raw
yubikey_gpg-agent_fedora27.md

Yubikey + gpg-agent (w/ SSH support) on Fedora 27

Note: This assumes that you have already generated your GPG keys (i.e., offline master key + subkeys) and have them in your Yubikey.

Recently, I switched from Arch Linux to Fedora 27 on the hosts that I use daily (my workstation, my "primary" laptop, and a "secondary" laptop). As best as I can recall, here are all of the steps I had to do in order to get things working in addition to some notes ("quoted") that I made at the time.

FWIW, this is greatly "summarized" but I think I've included most of the important bits. It's very possible that I've left out some pieces, though, so feel free to let me know if I've missed something.

getting ONLY gpg-agent (w/ ssh-agent support) to run -- with an instance of ssh-agent also being launched -- was a major pain in the ass! after some digging under /etc/X11/ i figured out a workaround... if we simply set the value of $SSH_AUTH_SOCK, the test that ends up setting the $SSH_AGENT variable will get skipped and a separate ssh agent will not get started (cf. end of /etc/X11/xinit/xinitrc-common).

XFCE apparently starts up its own instance of ssh-agent when a new session is created (i.e., when you log in). I wanted to get rid of that to avoid any conflicts or issues.

The recommended solution in the XFCE documentation didn't seem to completely address the issue. See also XFCE bug #11533: "xfce4-session starts gpg-agent".

I ended up also creating /etc/X11/xinit/xinitrc.d/99-disable-ssh-agent.sh:

$ cat 99-disable-ssh-agent.sh
#!/bin/sh

# If $SSH_AGENT, $SSH_AUTH_SOCK, and $SSH_AGENT_PID are all unset, then
# "ssh-agent" will get launched whether we fucking want it or not (hint:
# we don't). See the tests at the end of /etc/X11/xinit/xinitrc-common.
# Here, we set $SSH_AUTH_SOCK so that this test fails and "ssh-agent"
# will not be started. We're using "gpg-agent" instead, so we simply set
# the variable to point to the location where it will be creating (here
# shortly) its own socket:  /run/user/$(id -u)/gnupg/S.gpg-agent.ssh.

export SSH_AUTH_SOCK="/run/user/$(id -u)/gnupg/S.gpg-agent.ssh"

$ sudo chmod 0755 /etc/X11/xinit/xinitrc.d/99-disable-ssh-agent.sh
$ sudo chcon -u system_u /etc/X11/xinit/xinitrc.d/99-disable-ssh-agent.sh

These last two commands might not be necessary but are included for posterity.

You'll want to create a configuration file for gpg-agent. Here's what mine looks like:

$ cat ~/.gnupg/gpg-agent.conf
default-cache-ttl 3600
default-cache-ttl-ssh 7200
enable-ssh-support
max-cache-ttl 3600
max-cache-ttl-ssh 7200

Likewise, you'll probably want to create ~/.gnupg/gpg.conf. Relevant pieces from mine:

default-key 0x7A589B9E077BA949
use-agent

Note: If you actually use GPG, see also OpenPGP Best Practices for some additional configuration options you'll want to set.

I also created a few "autostart overrides" to prevent various gnome-keyring components from starting up -- even though, in my case, they shouldn't get started anyways. You may or may not need them (and they won't hurt anything if you don't). They all have the exact same contents:

$ cd ~/.config/autostart
$ ls gnome-keyring-*.desktop
gnome-keyring-pkcs11.desktop  gnome-keyring-secrets.desktop  gnome-keyring-ssh.desktop
$ sha256sum gnome-keyring-*.desktop
0cc7acc5713c833831d4df2a8ac814550e29e0ad7a15e7872152add712aa0c36  gnome-keyring-pkcs11.desktop
0cc7acc5713c833831d4df2a8ac814550e29e0ad7a15e7872152add712aa0c36  gnome-keyring-secrets.desktop
0cc7acc5713c833831d4df2a8ac814550e29e0ad7a15e7872152add712aa0c36  gnome-keyring-ssh.desktop
$ cat gnome-keyring-secrets.desktop
[Desktop Entry]
Hidden=true
X-GNOME-Autostart-enabled=false

logged out and restarted, verified no "ssh-agent" processes were running!

There's also a few things to do that are taken care of in your shell's startup/initialization files. The relevant stuff:

# gpg-agent needs to know which tty we're connected to (for pinentry)
if which gpg-agent > /dev/null 2>&1; then
  export GPG_TTY=$(tty)
fi

...

# refresh "gpg-agent" tty
if [[ -n $GPG_TTY ]]; then
  if which gpg-connect-agent > /dev/null 2>&1; then
    gpg-connect-agent updatestartuptty /bye > /dev/null 2>&1
  fi
fi

gpg2 --card-status was successful, ssh-add -l showed the ssh key on the yubikey, and "ssh REDACTED" was successful after being asked for and inputting the pin! yay!

Additionally, I've done the following:

  • Run gpg --export-ssh-key <KEYID> and put the output into ~/.ssh/other_keys/KEYID.pub.

  • At the end of my ~/.ssh/config file, in the "global" Host * section, I've put the following (amongst other options):

Host *
    ...
    IdentitiesOnly yes
    IdentityFile ~/.ssh/other_keys/KEYID.pub
    ...
  • Point to a graphical application that prompts you for your PIN, when needed. For example: export SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment