In this tutorial, I will describe how you can get an SSH login with the Nitrokey Pro 2. The prerequisite is that you have already generated OpenPGP keys on the Nitrokey Pro 2.
I set it up on a desktop / server with Gentoo Linux. In principle, the whole thing should work with any distribution.
Voraussetzungen
- Nitrokey Pro 2 setup
- OpenPGP Key on Nitrokey Pro 2
- GnuPG Version => 2.2.15
Setup OpenPGP key as SSH key
If the OpenPGP keys are set up on the Nitrokey Pro 2, you have to add the key to SSH in the console (user / client). This is done with the command:
ssh-add
You can check whether the key is being used with the following command:
ssh-add -l
The output should then look something like this:
2048 SHA256:1Ttk8NzJ4BTr9xUqCI2y91ZFUQfUGvWuDpkPMn/JN9k cardno:000500001234 (RSA)
We now have to place this key in the “authorized_keys” file on the SSH server. The easiest way to do this is with:
ssh-copy-id username@server
Of course you have to replace “username” and “server” with your data! After that, the key should be present in the file on the server.
Setup GPG agent
In order for the whole magic to work, we now have to add the following to the “~/.gnupg/gpg.conf” file:
use-agent
If the file doesn’t exist, just create it. Next we need to edit the “~/.gnupg/gpg-agent.conf” file. Add the following:
enable-ssh-support
In the ~/.bashrc file we add the following:
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
Now it is best to restart your computer so that all settings are applied. Once that’s done, you can try log into the SSH server as well.
If a password (not PIN) is requested when logging in, the GPG Agent is probably not running, at least that was the case for me. You can start it with this command:
gpg-connect-agent updatestartuptty /bye
Setup pinentry for SSH login
To use GnuPG with Pinentry add the following to the “~/.gnupg/gpg-agent.conf” file:
pinentry-program /usr/bin/pinentry
no-grab
default-cache-ttl 1800
Finally, let’s add the following lines to the user’s ~/.bashrc file:
export GPG_TTY=$(tty)
if [[ -n "$SSH_CONNECTION" ]] ;then
export PINENTRY_USER_DATA="USE_CURSES=1"
fi
Here, too, a computer restart is advisable. Alternatively, logging out and logging in to the console should also work. Now the corresponding query should come up when entering a PIN.
Automate GPG Agent launch with KDE 5
As already mentioned, the GPG Agent does not start automatically at system startup. The agent must also be started for each specific user with appropriate rights.
In my case I use KDE 5. To start the agent automatically we edit the file “/etc/xdg/plasma-workspace/env/10-agent-startup.sh”. The file should then look something like this:
GPG_AGENT=true
SSH_AGENT=true
SSH_AGENT=gpg # use gpg-agent for ssh instead of ssh-agent
if [ "${GPG_AGENT}" = true ]; then
if [ -x /usr/bin/gpgconf ]; then
gpgconf --launch gpg-agent >/dev/null 2>&1
if [ $? = 2 ]; then
eval "$(/usr/bin/gpg-agent --enable-ssh-support --daemon)"
fi
fi
fi
if [ "${SSH_AGENT}" = true ]; then
if [ -x /usr/bin/ssh-agent ]; then
eval "$(/usr/bin/ssh-agent -s)"
fi
elif [ "${SSH_AGENT}" = gpg ] && [ "${GPG_AGENT}" = true ]; then
if [ -e /run/user/$(id -ru)/gnupg/S.gpg-agent.ssh ]; then
export SSH_AUTH_SOCK=/run/user/$(id -ru)/gnupg/S.gpg-agent.ssh
elif [ -e "${HOME}/.gnupg/S.gpg-agent.ssh" ]; then
export SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh
fi
fi
For automated shutdown we edit the file “/etc/xdg/plasma-workspace/shutdown/10-agent-shutdown.sh”
# gnupg 2.0.x
#if [ -n "${GPG_AGENT_INFO}" ]; then
# kill $(echo ${GPG_AGENT_INFO} | cut -d':' -f 2) >/dev/null 2>&1
#fi
# gnupg 2.1.x
gpgconf --kill gpg-agent >/dev/null 2>&1
if [ -n "${SSH_AGENT_PID}" ]; then
eval "$(ssh-agent -s -k)"
fi
Now the agent should start automatically after a system restart. It should now be possible to log in to an SSH server with the Nitrokey Pro 2.