Improving Agent Forwarding section #88
Conversation
|
|
||
| You should then be able to use your YubiKey as if it were connected to the remote machine. | ||
|
|
||
| If you're still having problems, it may be necessary to edit your `gpg-agent.conf` file on both your remote and local machines to add the following information. |
There was a problem hiding this comment.
Do we have any confirmation or reference that this should be done on both? I'm pretty sure that this is not required on the remote machine, and may be misleading (in the sense that it implies you have the gpg-agent running on both platforms, which I think can actually create a problem, some instructions say to kill the remote gpg-agent to make sure it's not running but using the forwarded agent from the socket)...
|
|
||
| You should then be able to use your YubiKey as if it were connected to the remote machine. | ||
|
|
||
| If you're still having problems, it may be necessary to edit your `gpg-agent.conf` file on both your remote and local machines to add the following information. |
There was a problem hiding this comment.
This configuration still wasn't enough for me. I had to also do gpg --export-ssh-key > ~/.ssh/id_rsa_yubikey, chown 600 ~/.ssh/id_rsa_yubikey and add IdentityFile ~/.ssh/id_rsa_yubikey before I could ssh using only my yubikey public ssh key. Otherwise it would only work if I also had some other private ssh key. The documentation suggests this isn't necessary, and this guide has suggested that you can use the public key as the IdentityFile, but that always throws a format error, as you might expect.
We may also need to note that the public ssh key (from ssh-add -L needs to be added to remote ~/.known_hosts.
| @@ -1356,6 +1356,59 @@ $ ssh-add -E md5 -l | |||
|
|
|||
| When using the key `pinentry` will be invoked to request the key's passphrase. The passphrase will be cached for up to 10 minutes idle time between uses, to a maximum of 2 hours. | |||
|
|
|||
| ## Remote Machines (agent forwarding) | |||
|
|
||
| - On your remote machine, edit the file `/etc/ssh/sshd_config`, so that option `StreamLocalBindUnlink` is set to `StreamLocalBindUnlink yes` | ||
|
|
||
| - _(optional)_If you do not have root access to the remote machine to edit `/etc/ssh/sshd_config`, you will need to remove the socket on the remote machine before forwarding works. For example, `rm /run/user/1000/gnupg/S.gpg-agent`. Further information can be found on the [AgentForwarding GNUPG wiki page](https://wiki.gnupg.org/AgentForwarding). |
|
|
||
| If you want to use your YubiKey to sign a git commit on a remote machine, or ssh through another layer, then this is possible using "Agent Forwarding". This section should help you setup GPG and SSH agent forwarding. | ||
|
|
||
| To do this, you need to already have shell access to your remote machime, and your YubiKey setup on your host machine. |
No description provided.