PGP Smart Card + SSH Login + GPG Agent + Ubuntu

pgp-card
I have setup a pgp smart to use with ssh on Ubuntu. Since some of the steps were less than intuitive, I have decided to write this guide. I will not cover how to create a key pair since there are plenty of easy to find guides on that topic.

The Goal

The card must be able to do the following

  • Sign / verifiy / encrypt documents as you would expect with gpg
  • Use gpg-agent
  • Use the private key on the card to log into remote ssh servers

The Hardware

The Steps

1. Plug in the card :-)

apt-get install gnupg2 gnupg-agent pcscd libpcsclite1 opensc gpgsm

I don’t know if they are all necessary, but I installed all of them before it worked for me. I know that gpgsm and gnupg-agent are needed.
2. Disable gpg and ssh parts of gnome-keyring:

mv /etc/xdg/autostart/gnome-keyring-gpg.desktop /etc/xdg/autostart/gnome-keyring-gpg.desktop.inactive
mv /etc/xdg/autostart/gnome-keyring-ssh.desktop /etc/xdg/autostart/gnome-keyring-ssh.desktop.inactive

3. Make sure pcscd is running:

ps -e | grep pcsc

if nothing shows up, try running “sudo pcscd”
4. Enable ssh support in gpg:

echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf

5. Restart the computer
6. To see if things are working, try the following commands:

gpg --card-status

You should see many lines of output something like:

Application ID …: DA0209843
Version ……….: 2.0
Manufacturer …..: ZeitControl
Serial number ….: 002340
Name of cardholder: [not set]
Language prefs …: de
Sex …………..: unspecified
URL of public key : [not set]
[More Lines Here]

ssh-add -l

Should output your key fingerprint. If it says “The agent has no identities”, you will have trouble.
7. Put your key on the ssh server you want to log into:
This command will output the value you need to append to .authorized_keys on the server

gpgkey2ssh [key id]

8. Try it out:

ssh -v myuser@example.com

The “-v” flag just makes ssh output more info so you can see if your key is being used. You do not need to use it normally.

The following post was helpful in discovering how to make this work:
https://grepular.com/Smart_Cards_and_SSH_Authentication

Update for Ubuntu 14.04

I was unable to get it to work on Ubuntu 14.04 with just the instructions above. There seems to be a problem with multiple instances of gpg-agent running. If the one that captures the smart card doesn’t have ssh-support enabled, there will be problems. To work around this, I have added the following bash code to my .bashrc file:

if [ ! -f /tmp/gpg-agent.env ]; then
        killall gpg-agent;
        eval $(gpg-agent --daemon --enable-ssh-support > /tmp/gpg-agent.env);
fi
. /tmp/gpg-agent.env

To make GUI programs able to use the gpg-agent, I made new launchers for the programs that called the same code before spawning the program. Here is an example for thunderbird:

if [ ! -f /tmp/gpg-agent.env ]; then
        killall gpg-agent;
        eval $(gpg-agent --daemon --enable-ssh-support > /tmp/gpg-agent.env);
fi
. /tmp/gpg-agent.env
/usr/bin/thunderbird

I just put this code in a bash file and then pointed the .desktop file to launch it.

This entry was posted in Linux, Networking, System Administration and tagged , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>