I recently migrated from Arch Linux to NixOS, but I have a problem since my migration I can’t use my Yubikey with ssh. I get an error when I do ssh-add <path of ssh key of type sk>
:
Could not add identity “toto”: agent refused operation
Whereas I can use it when I do ssh-keygen
to create a key of type sk
.
Here’s my configuration.nix :
...
services.udev.packages = [ pkgs.yubikey-personalization ];
services.pcscd.enable = true;
hardware.gpgSmartcards.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
...
Here’s my home.nix
...
programs.ssh = {
enable = true;
extraConfig = ''
IdentitiesOnly yes
IdentityAgent none
'';
};
services.gpg-agent = {
enable = true;
enableSshSupport = true;
enableExtraSocket = true;
enableScDaemon = true;
defaultCacheTtl = 60 * 60 * 6;
defaultCacheTtlSsh = 60 * 60 * 6;
};
1 Like
I spent a couple weeks a long while ago trying to get gpg-agent, pinentry, and ssh working together; I didn’t have any luck :/
1 Like
You can check if the gpg agent is correctly set for ssh:
❯ echo $SSH_AUTH_SOCK
/run/user/1000/gnupg/S.gpg-agent.ssh
This is what I have in my configuration.nix:
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
environment.shellInit = ''
export GPG_TTY="$(tty)"
gpg-connect-agent /bye
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';
I remember my team mates had an issue using Gnome, I can check with them if it’s still the case, just tell me.
Edit: if not already done you should also give ultimate trust to your key:
# import your GPG public key
gpg --import mykey.gpg
# if needed, find your key id
gpg -k --keyid-format long
# ultimate trust the key
gpg --edit-key 0xFFFFFFFFFFFFFFFF
> trust
> 5
> y
> save
# hopefully your key is there
ssh-add -L
I’ve tested your configuration, but it still doesn’t work, I get the same error
❯ echo $SSH_AUTH_SOCK
/run/user/1000/gnupg/S.gpg-agent.ssh
❯ ssh-add -L
ssh-rsa AA ... == cardno:20_694_419
❯ ssh-add toto
Enter passphrase for toto:
Could not add identity "toto": agent refused operation
For what I understand ssh-add
serves to add a ssh private key, but currently the private key is on the yubikey and should not be on your host. If ssh-add -L
lists your key you should be able to ssh
into hosts using it, did I miss something?
When I do ssh-add -L
, it lists my Yubikey key and not my ssh key (ed25519-sk
) which uses this Yubikey key. So no, I can’t connect to the host
Maybe we have different setups, I use the yubikey’s GPG auth subkey for SSH.
I don’t remember well, I did it a while ago following Dr Duh guide.