What's the fastest way to get the SSH keys on my Nitrokey Pro recognized on a foreign computer?


#1

Okay, so I have a Nitrokey Pro, and one of my primary uses for it is as a SSH key provider. I am around a lot of computers that I occasionally need to SSH into remote servers from, and instead of generating SSH keys for every single one of them, I like the idea of just pluggin my Nitrokey Pro in, and immediately having the correct SSH keys (based on the OpenPGP key on there).

I have already generated the SSH key, and have succesfully managed to get the above to work on an office PC running Arch Linux. However, I cannot for the life of me get it to work on, for example, my home iMac. I have read and re-read the documentation again and again, but it is way too sparse. For example:

  • It says: “Make sure ~/.gnupg/gpg.conf contains ‘use-agent’” but there is no ~/.gnupg/gpg.conf on my iMac
  • It says: “Add ssh support to gnupg-agent by adding ‘enable-ssh-support’ to ~/.gnupg/gpg-agent.conf” but there is no ~/.gnupg/gpg-agent.conf on my iMac
  • It says: “Add the following code to your ~/.bashrc”, but I’m using zsh

I have GnuPG installed (via brew install gpg), but it didn’t generate any of the .conf-files mentioned, and I am stuck trying to figure out how to get them to appear.

Is there any chance of expanding the documentation a bit? It seems really sparse at the moment.


#2

Hi,

I did not test this setup on a macOS. If the config files does not exist, you may just create them. It is totally fine to only have the one option in there.

Using zsh is fine (I am using it too). Just use the zshrc instead.

I try to extend the instructions in this regard.

Kind regards
Alex


#3

Okay, maybe the conf-files aren’t the problem, then, because I’ve added it all now, but still, when I plug in the Nitrokey and try to SSH to somewhere, I get

sign_and_send_pubkey: signing failed: agent refused operation
sign_and_send_pubkey: signing failed: agent refused operation
mautic@x.x.x.x: Permission denied (publickey).

More specifically, with verbosity turned on, these are probably the relevant debug messages:

debug1: Host '[x.x.x.x]:2242' is known and matches the ECDSA host key.
debug1: Found key in /Users/mp/.ssh/known_hosts:9
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:pISonlafkEqBTdsy+nrkUhO9H3vtoEm1GFQMpiN7BG0 cardno:000500006A8E
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
sign_and_send_pubkey: signing failed: agent refused operation
debug1: Offering public key: RSA SHA256:pISonlafkEqBTdsy+nrkUhO9H3vtoEm1GFQMpiN7BG0 (none)
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
sign_and_send_pubkey: signing failed: agent refused operation

Why is the agent refusing? I already did gpg --card-status, which shows the Nitrokey, so I know gpg-agent is running

By the way, gpg -k doesn’t list any keys, so I’m wondering if the problem is occuring because gpg doesn’t know the public key on the Nitrokey? However, I’ve been searching high and low on the internet, but can’t find any instructions showing how to add the public key from a Nitrokey to the locan GPG keychain…


#4

Hey,

may have a look at this page. It is about the Yubikey, but because of the OpenPGP Card specs it should work the same for both.

Disclaimer: I did not test this approach.

Kind regards
Alex


#5

Yay, after hours of fernagling, I finally got past the frustrating sign_and_send_pubkey: signing failed: agent refused operation errors for SSH operations.

It turns out what helped me was doing echo UPDATESTARTUPTTY | gpg-connect-agent as mentioned in this post. I assume the problem was related to pinentry never firing, so I was never prompted to enter the PIN for my Nitrokey.

I’ve no idea where the bug came from, but I’m glad I got through it :slight_smile:


#6

I am glad you got it working!