No, I’m sorry for any confusion; the smartcard can be used for decryption and encryption operations remotely. However, things like --card-status do not work. My gpg authentication key is used for SSH as well.
I did forget that I had the private key on this machine for that example, my mistake. But I assure you, it still works. I can show an example in a bit.
Yep, i have the same worflow, ssh-add -l show on remote that my smartcard is correctly fwd and ready to decrypt/encrypt … but the life is not so simple
I try to reproduce the end of your workflow in gist, the encrypt/decrypt part that i never test before…
But i first had some bug/problem (https://github.com/NixOS/nixpkgs/issues/72597) with gpg-agent pinentry not spawing in “ncurse” mode correctly with systemd (don’t know why) and now when i try to encrypt on remote …
gpg: WARNING: server 'gpg-agent' is older than us (2.2.12 < 2.2.20)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: problem with the agent: Forbidden
gpg: error creating passphrase: Operation cancelled
gpg: symmetric encryption of 'test.txt' failed: Operation cancelled
Edit, linked to pinentry
gpgconf --check-programs
gpgconf: error running '/nix/store/yvnd02rbdsin2waamh9kb94klipajbhi-gnupg-2.2.20/bin/pinentry': probably not installed
I install pinentry using configuration.nix, but path don’t correspond and gpg encrypt/decrypt continue to failed :
'/nix/store/aba4by40pyv40gd780px1ivcskdnsd1g-pinentry-1.1.0' from 'https://cache.nixos.org'...
Just another tip: SSH Agent forwarding is completely unrelated to forwarding the GPG Agent socket. ssh-add -l working on remote means nothing about GPG-agent forwarding.
Yes. I am using a very similar setup as that article. If you are trying to use GPG to decrypt a file on a remote host, SSH forwarding is completely uninvolved.
Interestingly, just last night, I was complaining about problems with gpg-agent where I had to reboot before pinentry would work. (But in that case, pinentry is being done locally, so if local encryption works, then remote should work once forwarding has been done properly.)
EDIT: to extend the demo I showed in the gist above, here I show me decrypting a file remotely WITHOUT -A, so you can see that the gpg forwarding is unrelated to ssh forwarding:
ssh -o "RemoteForward $rpath:$lpath" cole@192.168.1.155 gpg -d /tmp/test.txt.gpg
gpg: encrypted with 4096-bit RSA key, ID 0x62556A61E301DC21, created 2018-05-22
"Cole Mickens <cole.mickens@gmail.com>"
this is a test
This allows me to do SSH and GPG operations on my desktop computer, while sitting on the couch with my Yubikey plugged into my Pinebook.
(Note, this may contradict earlier (bad) information where I indicated I forwarded the gpg-socket and used -A, instead, you forward two gpg sockets, one for the restricted gpg operations, the other being the ssh compatible socket.)
Actually i run exactly these command without any success due to this f***** bug of pinentry / gpg-agent bug (see above). No news on that more than one month later. I’m near Ragequit out from nixos ?
Which version of nixos do you use actually @colemickens ?
I run nixos-unstable. I’ve also hit that issue. I’ve learned to never let gpg start gpg-agent. I always try to pkill -f gpg and then systemctl --user restart gpg-agent.socket gpg-agent-extra.socket gpg-agent-ssh.socket and then do whatever I’m trying to do, and things kind of work.
GPG “just works” whenever I call upon it to. When I reboot and run gopass, a graphical pinentry pops up and asks for my PIN. (This is in spite of the fact that I also get gpgconf: error running '/nix/store/6bv9n8yd2a6pqg2rr4gxbv6mwp03181y-gnupg-2.2.23/bin/pinentry': probably not installed from gpgconf --check-programs.)
@colemickens I will retry with pinentry flavor=“curses”, and if after that things continue to don’t work, i move to graphical way like you do.
I hit another limitation, gpgconf is not present in initd gpgSupport with option boot.initrd.luks.gpgSupport. I don’t see how i could forward my Yubikey GPG by SSH to decrypt remote Luks without that ?
If gpg-conf is not available, i need to search which socket could i use for extra / forward.
The command to launch gpg in initrd : gpg-agent --daemon --scdaemon-program $out/bin/scdaemon > /dev/null 2> /dev/null
I try this without success :
ssh -R /root/.gnupg/S.gpg-agent:/run/user/1000/gnupg/S.gpg-agent.extra -o StreamLocalBindUnlink=yes myremote
Enter passphrase for key '/home/xxx/.ssh/vps.xxx.xxx':
Warning: remote port forwarding failed for listen path /root/.gnupg/S.gpg-agent
X11 forwarding request failed on channel 0
Last login: Mon Nov 23 16:32:19 2020 from xxxx
I don’t (yet) use GPG LUKS integration, sorry. I have a passphrase that I type out. I was just forced into a reboot though, and thought about how nice it would be to just type my GPG PIN so I might look at this soon.
gpg-agent don’t work when called from ash in initrd.
~ # gpg --card-status
gpg: failed to start agent '/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-gnupg-2.2.23/bin/gpg-agent': No such file or directory
gpg: can't connect to the agent: No such file or directory
gpg: OpenPGP card not available: No agent running
There are probably something i don’t understand du to mixing GPG/SSH yubikey with smartcard :
I suppose this is linked to RemoteForward option not activated.
If i activate RemoteForward i need to know what is the default location of remote gpg-agent socket ?
gpg-conf is not available on ash …
gpg yubikey pubkey is already stored in nix store so i suppose the could work
Locally or remotly on serv ? Because localy everything works fine on my ubuntu 20.04 (i wait to switch on nixos). On serv, gpg-agent don’t even start correctly :
gpg: failed to start agent '/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-gnupg-2.2.23/bin/gpg-agent': No such file or directory
Thanks for this tip. I know this is probably not particularly on-topic for this thread, but in case someone else (like me) finds this thread from a google search, looking for a way to get ssh-add -s /path/to/opensc-pkcs11.so working with a Yubikey on NixOS, here’s the full description of what I needed to get it to work.
In /etc/nixos/configuration.nix, I needed:
# I couldn't get this to work with gnupg's ssh-agent emulation, so I'm
# using OpenSSH's ssh-agent instead.
programs.gnupg.agent.enableSSHSupport = false; # (this is the default)
programs.ssh.startAgent = true;
# New versions of OpenSSH seem to default to disallowing all `ssh-add -s`
# calls when no whitelist is provided, so this becomes necessary.
programs.ssh.agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
# OpenSC can't read the Yubikey without this running.
services.pcscd.enable = true;
# This is to get a stable path for the whitelisted opensc-pkcs11.so file.
environment.systemPackages = [ ... pkgs.opensc ... ];
And then to load my key into the SSH agent, I run the following (or rather put it in a script in my path):