Instructions to setup nitrokey to use with SSH with Ubuntu 17.10

I had my nitrokey setup for SSH and i worked on Ubuntu 17.04.
I recently upgraded to 17.10 and it still works for signing email, but it does not work for ssh anymore.

I searched for guides, but most are quite old and they seem to assume Ubuntu is still using upstart.
I am pretty sure I followed this guide previously:

However, since that assumes upstart, it is not applicable any more.
I have already tried quite a few things, but I seem unable to make it work.

Does anyone have a nice write up on how to do it?
Or else, we should probably work on a step by step guide for this.

Hi @wligtenberg,

I have this on my todo-list anyway. So I try to do it now as soon as possible! I tell you when I am ready.

In the meantime: if anybody have good hints for specific Ubuntu setup, tell us (I have it working on ArchLinux, that is obviously a bit different).

Kind regards
Alex

1 Like

You will at least have your first tester then. :slight_smile:

Hi,

you find adapted instructions on our website. This should work for Ubuntu 16.04 and 17.10, but I tested with new registered accounts only.

So let me know, if you have any problems to get it working on your specific setup :blush: In theory this approach should work on most systemsā€¦

Kind regards
Alex

mmm, my ssh still wants tu use password authentication.
Even though the key is already in authorized keys on the server. For some reason it seems to prefer password based authentication over key basedā€¦

Hi,

can you give me an insight of your gpg.conf and gpg-agent.conf?

What does

echo $SSH_AUTH_SOCK

return? Is it an valid folder? Is there a file called S.gpg-agent.ssh in there? Did you try

gpg2 --card-status

before invoking the ssh command? For me it was sometimes needed after login.

Kind regards
Alex

echo $SSH_AUTH_SOCK

results in:

/home/<username>/.gnupg/S.gpg-agent.ssh

although I fixed that, because initially it did not have a slash between my home dir and .gnupg (I think that is an error in the instructions).
The directory exists, but no S.gpg-agent.ssh is there.

I did try again after invoking gpg2 --card-status but no luck.

Hi,

it seems pretty difficult to put in a generic advice how to do this as this behaviour changed during different GnuPG versions and systems :roll_eyes: I tried to change that a bit now. Thanks for the hint!

Thatā€™s fine. It will be created when gpg-agent is actually doing what it is supposed to for the first time :blush:

So, you made sure that ā€˜use-agentā€™ is in gpg.conf, ā€˜enable-ssh-supportā€™ is in gpg-agent.conf and you could use pubkey auth for the server you like to ssh in before? Mhā€¦ :thinking:

Did you try?
pkill gpg-agent; gpg2 --card-status; ssh ā€¦

Kind regards
Alex

I double checked gpg,conf contains use-agent and it is uncommented.
gpg-agent only contains enable-ssh-support. :slight_smile:

I tried your suggestion, still no luck.
I also checked sshd_config on the server, and it contains
PubkeyAuthentication yes

so it should be good, right? (as my pub-key is also in ~/.ssh/authorized_keys there.

Mh, interesting. Would you mind creating a new user and following the instructions for this one? As I said I only tested with new accounts (as I did not use Ubuntu on regular basis). There is either something not running at all for your system or something old in the configs of your user disturbs. I would like to differentiate whatā€™s the case hereā€¦

EDIT: Just to be sure: you double checked the authorized_keys file with the output of ā€˜gpg2 --export-ssh-key [keyID]ā€™ as well, did you?

EDIT2: Emā€¦ and do you have more than one private key in your gnupg-keyring and do you have an old id_rsa in your ~/.ssh? Maybe this can interfere as well.

I had another user that I never set this up for.
I used that one with your instructions and I had to add the following step:

gpg --card-edit
fetch
quit

Before gpg2 --card-status would show the ids to allow me to export it.

Then I exported the key and added it to the authorized_keys file on the server. Even though it was the same as the one that was already there.

I actually had to kill the gpg-agent from the other user, to ensure that it picked up the new settings.
So, yes, I double checked the exported key.

Listing the secret keys, one is an old file based key. But then again, it also didnā€™t work on the other userā€¦

Hi,

thanks again for testing!

This is for sure necessary! This meant when it says ā€œThe Nitrokey should already have PGP keys installed and the local GnuPG keyring should know the keys.ā€ on the website. I expect the user to already have things configured to not make the instructions more complicated than necessaryā€¦

Alright, I will have a look at my Ubuntu 17.10 then and try to find out what is wrong with your setup/my instruction :wink:

BTW: Are you using a special Desktop Environment? Or standard Unity/Gnome?

To be continuedā€¦

standard, so gnome now :slight_smile:
Thank you for the support!

Hey,

yeah, well, that was my fault. In trying to make the instructions as generic as possible :roll_eyes:

Your .bashrc should read:

if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
  export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi

This is probably ā€˜/run/user/1000/gnupg/S.gpg-agent.sshā€™ for your system/user. If you put this in Ubuntu 16.04 it wonā€™t work though, as the command ā€˜gpgconf --list-dirs agent-ssh-socketā€™ gives out multiple folders instead of one. I tried to work around and thought the home-folder would work as well (as it was the standard in the past). Well, it isnā€™t. Sorry for the confusing and inconvenience! :blush:

I will try to find another (real) generic way instead. But you should be fine for now :thinking:

Please let me know if it works (remember to open a new bash after changing .bashrc or just look at ā€˜echo $SSH_AUTH_SOCKā€™ if it is fine).

2 Likes

You made my day! It works! :tada:

2 Likes