That issue contains the exact same information that I provided here.
This is the current version of the script that I use:
#!/nix/store/m3x04ap8d9rcj48aip0gn2325895a56g-bash-4.4-p23/bin/bash
set -x
lpath="$(/nix/store/7f0v170hh65ilhf31vkw2l3c4iz2hrd9-gnupg-2.2.23/bin/gpgconf --list-dirs agent-socket)"
rpath="$(/nix/store/b5fvqaf61fb67ayzirrc7zyk5x67yf7n-openssh-8.3p1/bin/ssh "$1" gpgconf --list-dirs agent-socket)"
ssh \
-o "RemoteForward $rpath:$lpath.extra" \
-o "RemoteForward $rpath.ssh:$lpath.ssh" \
-o StreamLocalBindUnlink=yes \
"$@"
This allows me to do SSH and GPG operations on my desktop computer, while sitting on the couch with my Yubikey plugged into my Pinebook.
(Note, this may contradict earlier (bad) information where I indicated I forwarded the gpg-socket and used -A
, instead, you forward two gpg sockets, one for the restricted gpg operations, the other being the ssh compatible socket.)
Actually i run exactly these command without any success due to this f***** bug of pinentry / gpg-agent bug (see above). No news on that more than one month later. I’m near Ragequit out from nixos ?
Which version of nixos do you use actually @colemickens ?
I run nixos-unstable
. I’ve also hit that issue. I’ve learned to never let gpg
start gpg-agent
. I always try to pkill -f gpg
and then systemctl --user restart gpg-agent.socket gpg-agent-extra.socket gpg-agent-ssh.socket
and then do whatever I’m trying to do, and things kind of work.
I have gnupg configured via home-manager
:
config.home-manager.users.cole = { pkgs, ... }: {
services.gpg-agent = {
enable = true;
enableSshSupport = true;
enableExtraSocket = true;
defaultCacheTtl = 34560000;
defaultCacheTtlSsh = 34560000;
maxCacheTtl = 34560000;
maxCacheTtlSsh = 34560000;
};
};
GPG “just works” whenever I call upon it to. When I reboot and run gopass
, a graphical pinentry pops up and asks for my PIN. (This is in spite of the fact that I also get gpgconf: error running '/nix/store/6bv9n8yd2a6pqg2rr4gxbv6mwp03181y-gnupg-2.2.23/bin/pinentry': probably not installed
from gpgconf --check-programs
.)
@colemickens I will retry with pinentry flavor=“curses”, and if after that things continue to don’t work, i move to graphical way like you do.
I hit another limitation, gpgconf
is not present in initd gpgSupport
with option boot.initrd.luks.gpgSupport
. I don’t see how i could forward my Yubikey GPG by SSH to decrypt remote Luks without that ?
boot.initrd.luks.gpgSupport = true;
boot.initrd.luks.devices = {
"enc-pv" = {
name = "enc-pv";
preLVM = true;
device = "$luksuuid";
gpgCard = {
publicKey = ./gpg-yubikey.asc;
encryptedPass = ./luks-passphrase-arkham.asc;
};
allowDiscards = true;
};
I search into https://github.com/NixOS/nixpkgs/blob/release-20.09/nixos/modules/system/boot/luksroot.nix#L328 open_hardware()
to see if that possible …
If gpg-conf is not available, i need to search which socket could i use for extra / forward.
The command to launch gpg in initrd :
gpg-agent --daemon --scdaemon-program $out/bin/scdaemon > /dev/null 2> /dev/null
I try this without success :
ssh -R /root/.gnupg/S.gpg-agent:/run/user/1000/gnupg/S.gpg-agent.extra -o StreamLocalBindUnlink=yes myremote
Enter passphrase for key '/home/xxx/.ssh/vps.xxx.xxx':
Warning: remote port forwarding failed for listen path /root/.gnupg/S.gpg-agent
X11 forwarding request failed on channel 0
Last login: Mon Nov 23 16:32:19 2020 from xxxx
I don’t (yet) use GPG LUKS integration, sorry. I have a passphrase that I type out. I was just forced into a reboot though, and thought about how nice it would be to just type my GPG PIN so I might look at this soon.
Ok i remove my last message, it was a stupid approach, i inject the bad key (gpg and not ssh pubkey of yubikey) …
So with these options (Yubikey smartcard & challenge mode usable on remote ssh - #25 by reyman), i had no problem to connect using my yubikey pubkey by ssh to initrd @colemickens
BUT ! After that, two things :
- smartcard is not detected with ssh with yubikey connection :
- gpg-agent don’t work when called from
ash
in initrd.
~ # gpg --card-status
gpg: failed to start agent '/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-gnupg-2.2.23/bin/gpg-agent': No such file or directory
gpg: can't connect to the agent: No such file or directory
gpg: OpenPGP card not available: No agent running
There are probably something i don’t understand du to mixing GPG/SSH yubikey with smartcard :
I suppose this is linked to RemoteForward
option not activated.
- If i activate RemoteForward i need to know what is the default location of remote gpg-agent socket ?
gpg-conf is not available onash
… - gpg yubikey pubkey is already stored in nix store so i suppose the could work
I see you have same yubikey as I do and 1st problem to fix in your case is to fix card discovery.
gpg --card-status
-card-status
Reader ...........: 1050:0305:X:0
Application ID ...: D27601012401030600021333406782000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 13220633
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 1 0 1
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
type or paste code here
Locally or remotly on serv ? Because localy everything works fine on my ubuntu 20.04 (i wait to switch on nixos). On serv, gpg-agent don’t even start correctly :
gpg: failed to start agent '/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-gnupg-2.2.23/bin/gpg-agent': No such file or directory
I tested locally
Can you locate on remote gpg-agent?
Ok, so i try to debug more the GPGsmartcard/Initrd problem, see here @colemickens :
https://github.com/NixOS/nixpkgs/issues/106563
Any help from community is welcome, because all of this seem very broken
Found an answer but this is very very weird, we need some big bugfixes on gpg at initrd :
https://github.com/NixOS/nixpkgs/issues/106563#issuecomment-742652587
Thanks for this tip. I know this is probably not particularly on-topic for this thread, but in case someone else (like me) finds this thread from a google search, looking for a way to get ssh-add -s /path/to/opensc-pkcs11.so
working with a Yubikey on NixOS, here’s the full description of what I needed to get it to work.
In /etc/nixos/configuration.nix
, I needed:
# I couldn't get this to work with gnupg's ssh-agent emulation, so I'm
# using OpenSSH's ssh-agent instead.
programs.gnupg.agent.enableSSHSupport = false; # (this is the default)
programs.ssh.startAgent = true;
# New versions of OpenSSH seem to default to disallowing all `ssh-add -s`
# calls when no whitelist is provided, so this becomes necessary.
programs.ssh.agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
# OpenSC can't read the Yubikey without this running.
services.pcscd.enable = true;
# This is to get a stable path for the whitelisted opensc-pkcs11.so file.
environment.systemPackages = [ ... pkgs.opensc ... ];
And then to load my key into the SSH agent, I run the following (or rather put it in a script in my path):
$ ssh-add -e /run/current-system/sw/lib/opensc-pkcs11.so
$ ssh-add -s /run/current-system/sw/lib/opensc-pkcs11.so
I just felt this pain.
Here is the TL;DR to fix it:
which pinentry-curses # ensure this succeeds before proceeding
echo "pinentry-program $(which pinentry-curses)" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent
If the first which
command fails it means you don’t have pinentry-curses
installed. You need to install it, using something approximately like:
nix-env -i $(nix build --no-link -f '<nixpkgs>' pinentry-curses)