Yubikey smartcard & challenge mode usable on remote ssh

Help
15

No, I’m sorry for any confusion; the smartcard can be used for decryption and encryption operations remotely. However, things like --card-status do not work. My gpg authentication key is used for SSH as well.

I did forget that I had the private key on this machine for that example, my mistake. But I assure you, it still works. I can show an example in a bit.

EDIT: Okay, this one shows there are no private keys on either machine, and shows decryption working with forwarding: gist:0fd5ba0300ca69d17d40119f03b527f8 · GitHub

16

Hi @colemickens

Yep, i have the same worflow, ssh-add -l show on remote that my smartcard is correctly fwd and ready to decrypt/encrypt … but the life is not so simple :confused:

I try to reproduce the end of your workflow in gist, the encrypt/decrypt part that i never test before…

But i first had some bug/problem (https://github.com/NixOS/nixpkgs/issues/72597) with gpg-agent pinentry not spawing in “ncurse” mode correctly with systemd (don’t know why) and now when i try to encrypt on remote …

gpg: WARNING: server 'gpg-agent' is older than us (2.2.12 < 2.2.20)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: problem with the agent: Forbidden
gpg: error creating passphrase: Operation cancelled
gpg: symmetric encryption of 'test.txt' failed: Operation cancelled

Edit, linked to pinentry


gpgconf --check-programs
gpgconf: error running '/nix/store/yvnd02rbdsin2waamh9kb94klipajbhi-gnupg-2.2.20/bin/pinentry': probably not installed

I install pinentry using configuration.nix, but path don’t correspond and gpg encrypt/decrypt continue to failed :

'/nix/store/aba4by40pyv40gd780px1ivcskdnsd1g-pinentry-1.1.0' from 'https://cache.nixos.org'...

A bug ?

Capture d’écran du 2020-09-12 22-33-37
Capture d’écran du 2020-09-12 22-33-37945×411 74.9 KB

Arg 2 hours lost for that :frowning:

Don’t found the problem with gpg, i open an issue here :
https://github.com/NixOS/nixpkgs/issues/97861

17

Just another tip: SSH Agent forwarding is completely unrelated to forwarding the GPG Agent socket. ssh-add -l working on remote means nothing about GPG-agent forwarding.

18

Even when i use gpg-agent to manage ssh like here => GitHub - drduh/YubiKey-Guide: Guide to using YubiKey for GPG and SSH ?

19

Yes. I am using a very similar setup as that article. If you are trying to use GPG to decrypt a file on a remote host, SSH forwarding is completely uninvolved.

You can see my gpg-agent config here: https://github.com/colemickens/nixcfg/blob/55eca45719c7dace75040e376b081d265dde765e/mixins/gpg-agent.nix

Interestingly, just last night, I was complaining about problems with gpg-agent where I had to reboot before pinentry would work. (But in that case, pinentry is being done locally, so if local encryption works, then remote should work once forwarding has been done properly.)

EDIT: to extend the demo I showed in the gist above, here I show me decrypting a file remotely WITHOUT -A, so you can see that the gpg forwarding is unrelated to ssh forwarding:

ssh -o "RemoteForward $rpath:$lpath" cole@192.168.1.155  gpg -d /tmp/test.txt.gpg
gpg: encrypted with 4096-bit RSA key, ID 0x62556A61E301DC21, created 2018-05-22
      "Cole Mickens <cole.mickens@gmail.com>"
this is a test
1 Like
20

Hi there, some news on that, someone answer on DrDuh yubikey issue (Questions about gpg smard card functionalities and yubikey configured with agent forwarding · Issue #212 · drduh/YubiKey-Guide · GitHub) that everything was possible (really ?). I doubt about the “challenge/response”, but i will try …

Actually the bug on pinentry is a problem to investigate more this, but nothing new on this point :
https://github.com/NixOS/nixpkgs/issues/97861

21

That issue contains the exact same information that I provided here.

22

This is the current version of the script that I use:

#!/nix/store/m3x04ap8d9rcj48aip0gn2325895a56g-bash-4.4-p23/bin/bash
set -x
lpath="$(/nix/store/7f0v170hh65ilhf31vkw2l3c4iz2hrd9-gnupg-2.2.23/bin/gpgconf --list-dirs agent-socket)"
rpath="$(/nix/store/b5fvqaf61fb67ayzirrc7zyk5x67yf7n-openssh-8.3p1/bin/ssh "$1" gpgconf --list-dirs agent-socket)"
ssh \
    -o "RemoteForward $rpath:$lpath.extra" \
    -o "RemoteForward $rpath.ssh:$lpath.ssh" \
    -o StreamLocalBindUnlink=yes \
    "$@"

This allows me to do SSH and GPG operations on my desktop computer, while sitting on the couch with my Yubikey plugged into my Pinebook.

(Note, this may contradict earlier (bad) information where I indicated I forwarded the gpg-socket and used -A, instead, you forward two gpg sockets, one for the restricted gpg operations, the other being the ssh compatible socket.)

2 Likes
23

Actually i run exactly these command without any success due to this f***** bug of pinentry / gpg-agent bug (see above). No news on that more than one month later. I’m near Ragequit out from nixos :confused: ?
Which version of nixos do you use actually @colemickens ?

24

I run nixos-unstable. I’ve also hit that issue. I’ve learned to never let gpg start gpg-agent. I always try to pkill -f gpg and then systemctl --user restart gpg-agent.socket gpg-agent-extra.socket gpg-agent-ssh.socket and then do whatever I’m trying to do, and things kind of work.

I have gnupg configured via home-manager:

    config.home-manager.users.cole = { pkgs, ... }: {
      services.gpg-agent = {
        enable = true;
        enableSshSupport = true;
        enableExtraSocket = true;
        defaultCacheTtl = 34560000;
        defaultCacheTtlSsh = 34560000;
        maxCacheTtl = 34560000;
        maxCacheTtlSsh = 34560000;
      };
    };

GPG “just works” whenever I call upon it to. When I reboot and run gopass, a graphical pinentry pops up and asks for my PIN. (This is in spite of the fact that I also get gpgconf: error running '/nix/store/6bv9n8yd2a6pqg2rr4gxbv6mwp03181y-gnupg-2.2.23/bin/pinentry': probably not installed from gpgconf --check-programs.)

1 Like
25

@colemickens I will retry with pinentry flavor=“curses”, and if after that things continue to don’t work, i move to graphical way like you do.

I hit another limitation, gpgconf is not present in initd gpgSupport with option boot.initrd.luks.gpgSupport. I don’t see how i could forward my Yubikey GPG by SSH to decrypt remote Luks without that ?

        boot.initrd.luks.gpgSupport = true;
        
        boot.initrd.luks.devices = {
          "enc-pv" = {
            name = "enc-pv";
            preLVM = true;
            device = "$luksuuid";
            gpgCard = {
              publicKey = ./gpg-yubikey.asc;
              encryptedPass = ./luks-passphrase-arkham.asc;
            };
            allowDiscards = true;
          };

I search into https://github.com/NixOS/nixpkgs/blob/release-20.09/nixos/modules/system/boot/luksroot.nix#L328 open_hardware() to see if that possible …

If gpg-conf is not available, i need to search which socket could i use for extra / forward.
The command to launch gpg in initrd :
gpg-agent --daemon --scdaemon-program $out/bin/scdaemon > /dev/null 2> /dev/null

I try this without success :

ssh -R /root/.gnupg/S.gpg-agent:/run/user/1000/gnupg/S.gpg-agent.extra -o StreamLocalBindUnlink=yes myremote
Enter passphrase for key '/home/xxx/.ssh/vps.xxx.xxx': 
Warning: remote port forwarding failed for listen path /root/.gnupg/S.gpg-agent
X11 forwarding request failed on channel 0
Last login: Mon Nov 23 16:32:19 2020 from xxxx
26

I don’t (yet) use GPG LUKS integration, sorry. I have a passphrase that I type out. I was just forced into a reboot though, and thought about how nice it would be to just type my GPG PIN so I might look at this soon.

1 Like
28

Ok i remove my last message, it was a stupid approach, i inject the bad key (gpg and not ssh pubkey of yubikey) …

So with these options (Yubikey smartcard & challenge mode usable on remote ssh - #25 by reyman), i had no problem to connect using my yubikey pubkey by ssh to initrd @colemickens

BUT ! After that, two things :

~ # gpg --card-status
gpg: failed to start agent '/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-gnupg-2.2.23/bin/gpg-agent': No such file or directory
gpg: can't connect to the agent: No such file or directory
gpg: OpenPGP card not available: No agent running

There are probably something i don’t understand du to mixing GPG/SSH yubikey with smartcard :

I suppose this is linked to RemoteForward option not activated.

  • If i activate RemoteForward i need to know what is the default location of remote gpg-agent socket ?
    gpg-conf is not available on ash
  • gpg yubikey pubkey is already stored in nix store so i suppose the could work
29

I see you have same yubikey as I do and 1st problem to fix in your case is to fix card discovery.

gpg --card-status

-card-status 
Reader ...........: 1050:0305:X:0
Application ID ...: D27601012401030600021333406782000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 13220633
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 1 0 1
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
type or paste code here
30

Locally or remotly on serv ? Because localy everything works fine on my ubuntu 20.04 (i wait to switch on nixos). On serv, gpg-agent don’t even start correctly :

gpg: failed to start agent '/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-gnupg-2.2.23/bin/gpg-agent': No such file or directory
31

I tested locally

Can you locate on remote gpg-agent?

32

Ok, so i try to debug more the GPGsmartcard/Initrd problem, see here @colemickens :
https://github.com/NixOS/nixpkgs/issues/106563

Any help from community is welcome, because all of this seem very broken :confused:

33

Found an answer but this is very very weird, we need some big bugfixes on gpg at initrd :
https://github.com/NixOS/nixpkgs/issues/106563#issuecomment-742652587

34

Thanks for this tip. I know this is probably not particularly on-topic for this thread, but in case someone else (like me) finds this thread from a google search, looking for a way to get ssh-add -s /path/to/opensc-pkcs11.so working with a Yubikey on NixOS, here’s the full description of what I needed to get it to work.

In /etc/nixos/configuration.nix, I needed:

  # I couldn't get this to work with gnupg's ssh-agent emulation, so I'm
  # using OpenSSH's ssh-agent instead.
  programs.gnupg.agent.enableSSHSupport = false;  # (this is the default)
  programs.ssh.startAgent = true;

  # New versions of OpenSSH seem to default to disallowing all `ssh-add -s`
  # calls when no whitelist is provided, so this becomes necessary.
  programs.ssh.agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";

  # OpenSC can't read the Yubikey without this running.
  services.pcscd.enable = true;

  # This is to get a stable path for the whitelisted opensc-pkcs11.so file.
  environment.systemPackages = [ ... pkgs.opensc ... ];

And then to load my key into the SSH agent, I run the following (or rather put it in a script in my path):

$ ssh-add -e /run/current-system/sw/lib/opensc-pkcs11.so
$ ssh-add -s /run/current-system/sw/lib/opensc-pkcs11.so
3 Likes
35

I just felt this pain.

Here is the TL;DR to fix it:

which pinentry-curses # ensure this succeeds before proceeding
echo "pinentry-program $(which pinentry-curses)" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent

If the first which command fails it means you don’t have pinentry-curses installed. You need to install it, using something approximately like:

nix-env -i $(nix build --no-link -f '<nixpkgs>' pinentry-curses)
1 Like