gpg authentication over ssh

Yubikeys are able to store your gpg private keys which allows you to perform encryption, signing, and authentication more securely since the private keys are only accessible from the Yubikey, when it’s plugged in.

Today I’ll explorer the authentication key. It’s possible to leverage your gpg authentication private key for ssh public key authentication. This mechanism allows passwordless authentication using the ssh protocol. Windows, Linux, and MacOSX have supported clients and this post will explorer how to achieve this.

Windows

In order to use the gpg authentication key to execute passwordless ssh logins you’ll first need to install gpg4win. When downloading this program, as an exercise I challenge you to also verify the integrity of your downloaded binary. With gpg4win installed, you’ll need to modify a number of configuration files. First, edit and append your authentication keygrip to the file %APPDATA%/gnupg/sshcontrol To find your keygrip issue,

> gpg --list-keys --with-keygrip

Next, open the file %APPDATA%/gnupg/gpg-agent.conf and append the below text to it,

enable-putty-support

You may also need to import your ssh-keys from the Yubikey. From the command line issue,

> gpg --card-edit
gpg/card> fetch

putty already has support for gpg-agent, which I believe is started by the Kleopatra applciation that handles gpg key management. This is all that needs to be done!

Ubuntu / Linux and MacOS X

The procedure for setting up gpg authentication over ssh on a Ubuntu is similar but has a few extra steps. Edit ~/.gnupg/gpg-agent.conf and add the below,

enable-ssh-support

Then edit, ~/.gnupg/gpg.conf and append,

use-agent

I also added the following to me ~/.bashrc file,

export GPG_TTY=`tty`
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh
gpg-connect-agent UPDATESTARTUPTTY /bye > /dev/null

Some useful commands

Starting gpg-agent – gpgconf --launch gpg-agent
Kill gpg-agent – gpgconf --kill gpg-agent

Flashing LSI SAS9211-8i to IT-mode

I recently purchased a couple LSI SAS9211-8i from Ebay and needed to flash them to IT-mode. The system that I used to flash the card used UEFI and required some esoteric steps to perform the flash operation.

First, a bootable USB stick is needed… maybe? I’m not sure if UEFI requisite bootable sticks or just a FAT32 formatted device. I didn’t test this.

Also needed are,

Extract and copy both of these to the root directory of the USB stick.

Insert the USB stick and boot into the bulit-in EFI shell. This was selected by accessing the boot menu (pressing F11 during BIOS initialization on my motherboard). In this shell, we need to identified the USB device. The command map –b was helpful. This identified my USB stick as device 0. To flash the card I then issued,

$ fs0:
$ dir
$ sas2flash.efi -o -e 6
$ sas2flash.efi -o -f 2118it.bin -b mptsas2.rom

And that’s it. These are just my high-level notes for what’s needed. There are some great resources online that dive into these steps in additional details. I found the following helpful:

  • https://www.ixsystems.com/community/threads/how-to-flash-lsi-9211-8i-using-efi-shell.50902/
  • https://nguvu.org/freenas/Convert-LSI-HBA-card-to-IT-mode/ (for non-UEFI, flashed using FreeDOS)