Yubikey GnuPG + SSH Agent with Fish
Categories: Hacking
So I’ve had a lot of GPG issues over the last few months, and part of that has been me not bothering particularly to ensure I’ve got a consistent setup across my machines.
Part of the issue is that I’m using a yubikey, and keep having to look at external references to make sure it works consistently. I’m going to keep this as a reference for what I’ve used recently to make everything work.
Goals
So I want to use GPG for a few things:
- SSH Access to servers
- Signing emails for 57North where required
- Signing Debian packages
- Use pass on a variety of machines with 1 GPG key
- Super secret internet communications
With the yubikey as a common access key across my machines, this means I have a single key and don’t need to be tied to my dev desktop to do all the activities above. It’s a nice goal.
System Setup
My systems are, generally, based on Debian as I do an amount of packaging work on Debian. My desktop environments vary wildly as I like to change regularly - this has caused me issues in the past.
I use fish shell across all my machines as it makes me happy.
Required Software
For my gpg setup to run correctly, so far i’ve had to install
apt install gnupg2 gnupg-agent dirmngr scdaemon pcscd hopenpgp-tools yubikey-personalization pinentry-curses
This puts all the pieces in place for the yubikey to act as my GPG smartcard and ssh auth token.
Required Configs
GnuPG
hibby@fennec ~> cat .gnupg/gpg-agent.conf
# https://github.com/drduh/config/blob/master/gpg-agent.conf
enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-gtk2
This enables ssh and sets the pinentry program to be a popup. I prefer pinentry-curses on my terminal, but I just can’t make it work on fish.
Fish
This ensure that fish starts my gpg agent and knows where the socket is via the correct environment variables.
I was missing this step for a long time.
hibby@fennec ~> cat .config/fish/gnupg.fish
# Ensure that GPG Agent is used as the SSH agent
set -e SSH_AUTH_SOCK
set -U -x SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket)
set -x GPG_TTY (tty)
gpgconf --launch gpg-agent
After this, if you run ssh-add -L when the key is attached, you will see your ssh-pubkey. Remove the key, it disappears.
Connect to a server like github to verify it works - ssh git@github.com -vvvv should ask you for pinentry/input action and output a list of what it’s doing. Verify it used the right key. If not, back to debugging.
References
- DrDuh - Great guideline on how all this works
- rnorth.org - Solved the fish problem