PGP Auth Cert + SSH
So… I’ve been struggling with how to effectively leverage PGP auth certs with SSH. I keep my SSH keys locked up on encrypted media. It’s a PITA to
- Find the media
- Unlock the full disk crypto
- ssh -i /big/long/path [email protected]
- Finish ssh session
- Unwind mounted filesystem and full disk crypto
- Put media back where it belongs (a safe place)
That’s just a procedure in a half.
PGP To The Rescue?
Thankfully PGP has auth certs 😀
The links I found and read through that make many claims of making life easier. I recommend you read these (at a minimum, skim)
- Good if not dated info (link)
- Yubico Windows docs (link)
- Yubico SSH PGP landing page (link)
- A nice long, comprehensive read (link)
Good! Now that you’ve read the info, is your head spinning? Mine was and has been until just before I started writing this post. There is a ton of general information, techical cruft and the minutiae. Oh the minutiae!
I’ve gone through the documentation above backwards, forwards and standing on my head. I re-created all of the steps and never quite figured out the ‘magic’ that was SSH authn. All of the guides LOVE to show you how to setup a Yubikey, what fiddly 💩 you need for the gpg agent to work as an ssh agent and more. I managed to configure the gpg / ssh agent ‘stuff’…
They dont FUCKING tell you how the hell to setup the SSH server end.
authorized_keys is a thing, it’s standard and well-known. How shall I setup my PGP key as an SSH authorized key? Is that even the right thing to do? What the FUCK?
After the 5th read of this old, barely current post (link) I noticed a gem buried in the wall of text towards the end
gpgkey2ssh [blah blah blah]. At the end of a very technically dense, wall of text. Well past the point where even the most robust mind will start leaking from the ears.
Well then! That looks like something helpful.
Nope, thats a failure and a success
I scampered off to my command line, ran the command and… kaboom.
Command not found. Well that’s a kick to the genetalia. Time to search fu.
Some searches turned up
gpg --export-ssh-key. Seems they may have been yelled at in the past for making things more diffult than necessary and ‘simplified’ life for us.
Some further exploring the command line and…
gpg --export-ssh-key [your key id here]
Dump that output into
🎶 I’m IN! IT WORKS 🎶
[Editors note: A ‘happy dance’ may have been involved. No hamsters were harmed.]
What do you need to do?
The documentation that’s well known and heavily cross referenced online skips over the simple command
gpg --export-ssh-key [your key id here] quite often. It’s as if they beg you to slog through the man page and other docs to find the one piece you may care about while reading a very comprehensive guide.
Once you discover that command it’s a simple process of
- Setup the ssh agent stuff (see above articles for comprehensive information) for your chosen PGP poison pill
gpg export-ssh-key [your key id here]
- Copy output
- Paste into
authorized_keyson the host you want to SSH into
- Enjoy your PGP authn cert
I hope this helps someone. I know I was more lost and confused than I care to admit.