gpg authentication over ssh

Yubikeys are able to store your gpg private keys which allows you to perform encryption, signing, and authentication more securely since the private keys are only accessible from the Yubikey, when it’s plugged in.

Today I’ll explorer the authentication key. It’s possible to leverage your gpg authentication private key for ssh public key authentication. This mechanism allows passwordless authentication using the ssh protocol. Windows, Linux, and MacOSX have supported clients and this post will explorer how to achieve this.

Windows

In order to use the gpg authentication key to execute passwordless ssh logins you’ll first need to install gpg4win. When downloading this program, as an exercise I challenge you to also verify the integrity of your downloaded binary. With gpg4win installed, you’ll need to modify a number of configuration files. First, edit and append your authentication keygrip to the file %APPDATA%/gnupg/sshcontrol To find your keygrip issue,

> gpg --list-keys --with-keygrip

Next, open the file %APPDATA%/gnupg/gpg-agent.conf and append the below text to it,

enable-putty-support

You may also need to import your ssh-keys from the Yubikey. From the command line issue,

> gpg --card-edit
gpg/card> fetch

putty already has support for gpg-agent, which I believe is started by the Kleopatra applciation that handles gpg key management. This is all that needs to be done!

Ubuntu / Linux and MacOS X

The procedure for setting up gpg authentication over ssh on a Ubuntu is similar but has a few extra steps. Edit ~/.gnupg/gpg-agent.conf and add the below,

enable-ssh-support

Then edit, ~/.gnupg/gpg.conf and append,

use-agent

I also added the following to me ~/.bashrc file,

export GPG_TTY=`tty`
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh
gpg-connect-agent UPDATESTARTUPTTY /bye > /dev/null

Some useful commands

Starting gpg-agent – gpgconf --launch gpg-agent
Kill gpg-agent – gpgconf --kill gpg-agent

Flashing LSI SAS9211-8i to IT-mode

I recently purchased a couple LSI SAS9211-8i from Ebay and needed to flash them to IT-mode. The system that I used to flash the card used UEFI and required some esoteric steps to perform the flash operation.

First, a bootable USB stick is needed… maybe? I’m not sure if UEFI requisite bootable sticks or just a FAT32 formatted device. I didn’t test this.

Also needed are,

Extract and copy both of these to the root directory of the USB stick.

Insert the USB stick and boot into the bulit-in EFI shell. This was selected by accessing the boot menu (pressing F11 during BIOS initialization on my motherboard). In this shell, we need to identified the USB device. The command map –b was helpful. This identified my USB stick as device 0. To flash the card I then issued,

$ fs0:
$ dir
$ sas2flash.efi -o -e 6
$ sas2flash.efi -o -f 2118it.bin -b mptsas2.rom

And that’s it. These are just my high-level notes for what’s needed. There are some great resources online that dive into these steps in additional details. I found the following helpful:

  • https://www.ixsystems.com/community/threads/how-to-flash-lsi-9211-8i-using-efi-shell.50902/
  • https://nguvu.org/freenas/Convert-LSI-HBA-card-to-IT-mode/ (for non-UEFI, flashed using FreeDOS)

gpg signed git commits

To enable git to sign commits we must configure the key to be used for signing. This can be accomplished by editing ~/.gitconfig

[user]
         name = Matt Kowalczyk
         email = matt.kowalczyk@gmail.com
         signingkey = A53C8900B710D91F

Also, if you have both gpg and gpg2 installed on your system, you may need to force git to use a specific program to perform the signing. In my case, I needed to use gpg2 and this was accomplished by appending the below to ~/.gitconfig,

[gpg]
         program = gpg2

With these changes, we’re now able to sign commits and tags and also verify these signatures. For instance,

$ git add foo.txt
$ git commit -S -m "initial commit"
 [master (root-commit) 7f5db95] initial commit
  1 file changed, 1 insertion(+)
  create mode 100644 foo.txt
$ git log --show-signature
 commit 7f5db95d63f68813df4229835ca6b775dbe1b5ac
 gpg: Signature made Sat 08 Jun 2019 07:51:46 PM PDT using RSA key ID 951E6431
 gpg: Good signature from "Matt Kowalczyk matt.kowalczyk@gmail.com" [ultimate]
 Author: Matt Kowalczyk matt.kowalczyk@gmail.com
 Date:   Sat Jun 8 19:51:46 2019 -0700
 initial commit

Notice the use of --show-signature. The git-scm shows various other ways of useful git commands related to signing. For instance,

$ git merge --verify-signatures -S <BRANCH>
$ git rebase -S

cdb in Erlang

I’ve recently become fascinated by Erlang. I like it’s maturity, scale, and it’s methodology. It’s taken me a couple passes through https://learnyousomeerlang.com/ and Programming Erlang and hours of reading the very well written Erlang docs to become familiar enough to write some simple code.

I’ve decided to implement the constant database, cdbin Erlang. It was a really fun project that required me to,

  • Implement a stand alone library in Erlang
  • Write tests
  • Twiddle bits
  • File I/O

Which I think are some fundamental steps to start understanding a development environment. I’ve released the code as under the MIT License on github.