SSH login with Nitrokey Pro 2 on Linux

Security

In this tutorial, I will describe how you can get an SSH login with the Nitrokey Pro 2. The prerequisite is that you have already generated OpenPGP keys on the Nitrokey Pro 2.

I set it up on a desktop / server with Gentoo Linux. In principle, the whole thing should work with any distribution.

Voraussetzungen

Setup OpenPGP key as SSH key

If the OpenPGP keys are set up on the Nitrokey Pro 2, you have to add the key to SSH in the console (user / client). This is done with the command:

ssh-add

You can check whether the key is being used with the following command:

ssh-add -l

The output should then look something like this:

2048 SHA256:1Ttk8NzJ4BTr9xUqCI2y91ZFUQfUGvWuDpkPMn/JN9k cardno:000500001234 (RSA)

We now have to place this key in the “authorized_keys” file on the SSH server. The easiest way to do this is with:

ssh-copy-id username@server

Of course you have to replace “username” and “server” with your data! After that, the key should be present in the file on the server.

Setup GPG agent

In order for the whole magic to work, we now have to add the following to the “~/.gnupg/gpg.conf” file:

use-agent

If the file doesn’t exist, just create it. Next we need to edit the “~/.gnupg/gpg-agent.conf” file. Add the following:

enable-ssh-support

In the ~/.bashrc file we add the following:

unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi

Now it is best to restart your computer so that all settings are applied. Once that’s done, you can try log into the SSH server as well.

If a password (not PIN) is requested when logging in, the GPG Agent is probably not running, at least that was the case for me. You can start it with this command:

 gpg-connect-agent updatestartuptty /bye

Setup pinentry for SSH login

To use GnuPG with Pinentry add the following to the “~/.gnupg/gpg-agent.conf” file:

pinentry-program /usr/bin/pinentry
no-grab
default-cache-ttl 1800

Finally, let’s add the following lines to the user’s ~/.bashrc file:

export GPG_TTY=$(tty)
if [[ -n "$SSH_CONNECTION" ]] ;then
    export PINENTRY_USER_DATA="USE_CURSES=1"
fi

Here, too, a computer restart is advisable. Alternatively, logging out and logging in to the console should also work. Now the corresponding query should come up when entering a PIN.

Automate GPG Agent launch with KDE 5

As already mentioned, the GPG Agent does not start automatically at system startup. The agent must also be started for each specific user with appropriate rights.

In my case I use KDE 5. To start the agent automatically we edit the file “/etc/xdg/plasma-workspace/env/10-agent-startup.sh”. The file should then look something like this:

GPG_AGENT=true
SSH_AGENT=true
SSH_AGENT=gpg # use gpg-agent for ssh instead of ssh-agent

if [ "${GPG_AGENT}" = true ]; then
        if [ -x /usr/bin/gpgconf ]; then
                gpgconf --launch gpg-agent >/dev/null 2>&1
                if [ $? = 2 ]; then
                        eval "$(/usr/bin/gpg-agent --enable-ssh-support --daemon)"
                fi
        fi
fi

if [ "${SSH_AGENT}" = true ]; then
        if [ -x /usr/bin/ssh-agent ]; then
                eval "$(/usr/bin/ssh-agent -s)"
        fi
elif [ "${SSH_AGENT}" = gpg ] && [ "${GPG_AGENT}" = true ]; then
        if [ -e /run/user/$(id -ru)/gnupg/S.gpg-agent.ssh ]; then
                export SSH_AUTH_SOCK=/run/user/$(id -ru)/gnupg/S.gpg-agent.ssh
        elif [ -e "${HOME}/.gnupg/S.gpg-agent.ssh" ]; then
                export SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh
        fi
fi

For automated shutdown we edit the file “/etc/xdg/plasma-workspace/shutdown/10-agent-shutdown.sh”

# gnupg 2.0.x
#if [ -n "${GPG_AGENT_INFO}" ]; then
#       kill $(echo ${GPG_AGENT_INFO} | cut -d':' -f 2) >/dev/null 2>&1
#fi

# gnupg 2.1.x
gpgconf --kill gpg-agent >/dev/null 2>&1

if [ -n "${SSH_AGENT_PID}" ]; then
        eval "$(ssh-agent -s -k)"
fi

Now the agent should start automatically after a system restart. It should now be possible to log in to an SSH server with the Nitrokey Pro 2.

Comments

You can use your Mastodon account to reply to this Post.

Reply