Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

2016-01-15 Thread the2nd 
I just want to point out that one may want to add the keygrip to the 
sshcontrol file along with the "confirm" option to get asked by pinentry 
each time ssh requests gpg-agent to sign an ssh challenge (e.g. a ssh 
login). This is at least a useful option if you login to a remote host 
with agent forwarding enabled. I know that there are more secure 
alternatives to agent forwarding but i guess it is still used because of 
its simplicity. I also use it from time to time *shame*


But thats the only reason in know why one would add it to sshcontrol.

Regards
the2nd

On 2016-01-16 00:47, Glenn Rempe wrote:

Thanks Peter, I was not aware of that (and it certainly explains the
double entry in ssh-add -l.

btw, Werner was not writing that response to me. It was just pointed
out to me, so yes it was
probably not smart card specific I would guess. I'll update the blog
post to reflect that we
probably do not need to modify sshcontrol for use with Yubikey.

Back to the main issue I am having. I followed the instructions to
output a verbose scdaemon log
which I was exercising this issue.  Here is a gist with the commands
I was running and the resulting
logfile.

https://gist.github.com/grempe/e143796b8f399f5fa391 [5]

Perhaps NIIBE Yutaka or someone else more knowledgable than I can
take a look and 
get us closer to resolution. :-)

Thanks for everyone who is helping.

On Fri, Jan 15, 2016 at 3:08 PM Peter Lebbing
 wrote:


On 15/01/16 21:17, Glenn Rempe wrote:

I added it at the suggestion of Werner in this post:



https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
[1]


And these blog posts:
http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html

[2]



http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
[3]


Is this suggestion outdated?


No, but I'm fairly sure Werner did not realise you were using a
smartcard when
he wrote that. Obviously, I can't look into the man's mind, but
that's my guess.

For regular, on-disk keys, it is necessary to add the keygrip to
sshcontrol. For
smartcards, it's automatically added when the smartcard is
inserted. I guess it
fits with automatically added secret key stubs when the smartcard
is inserted
(to use a smartcard on a fresh PC, import your own public key,
insert your
smartcard, and you're done).

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at




Links:
--
[1] https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
[2] http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
[3] http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
[4] http://digitalbrains.com/2012/openpgp-key-peter
[5] https://gist.github.com/grempe/e143796b8f399f5fa391

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

2016-01-15 Thread Glenn Rempe 
Thanks Peter, I was not aware of that (and it certainly explains the double
entry in ssh-add -l.

btw, Werner was not writing that response to me. It was just pointed out to
me, so yes it was
probably not smart card specific I would guess. I'll update the blog post
to reflect that we
probably do not need to modify sshcontrol for use with Yubikey.

Back to the main issue I am having. I followed the instructions to output a
verbose scdaemon log
which I was exercising this issue.  Here is a gist with the commands I was
running and the resulting
logfile.

https://gist.github.com/grempe/e143796b8f399f5fa391

Perhaps NIIBE Yutaka or someone else more knowledgable than I can take a
look and
get us closer to resolution. :-)

Thanks for everyone who is helping.


On Fri, Jan 15, 2016 at 3:08 PM Peter Lebbing 
wrote:

> On 15/01/16 21:17, Glenn Rempe wrote:
> > I added it at the suggestion of Werner in this post:
> >
> > https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> >
> > And these blog posts:
> > http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> > http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
> >
> > Is this suggestion outdated?
>
> No, but I'm fairly sure Werner did not realise you were using a smartcard
> when
> he wrote that. Obviously, I can't look into the man's mind, but that's my
> guess.
>
> For regular, on-disk keys, it is necessary to add the keygrip to
> sshcontrol. For
> smartcards, it's automatically added when the smartcard is inserted. I
> guess it
> fits with automatically added secret key stubs when the smartcard is
> inserted
> (to use a smartcard on a fresh PC, import your own public key, insert your
> smartcard, and you're done).
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

2016-01-15 Thread Peter Lebbing 
On 15/01/16 21:17, Glenn Rempe wrote:
> I added it at the suggestion of Werner in this post:
> 
> https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> 
> And these blog posts:
> http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
> 
> Is this suggestion outdated?

No, but I'm fairly sure Werner did not realise you were using a smartcard when
he wrote that. Obviously, I can't look into the man's mind, but that's my guess.

For regular, on-disk keys, it is necessary to add the keygrip to sshcontrol. For
smartcards, it's automatically added when the smartcard is inserted. I guess it
fits with automatically added secret key stubs when the smartcard is inserted
(to use a smartcard on a fresh PC, import your own public key, insert your
smartcard, and you're done).

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

2016-01-15 Thread Glenn Rempe 
I'm not sure when the use of sshcontrol emerged. My impression was that it
is only used as part of GnuPG 'Modern' 2.1.x versions. That being said, If
I remove the keygrip entry from the sshcontrol file it appears to work
fine.  The only difference I've just noticed is in the output of 'ssh-add
-l':

with keygrip in sshcontrol:
~/.gnupg$ ssh-add -l
error fetching identities for protocol 1: agent refused operation
2048 SHA256:X3YiWulZ1xJlqGRFqeaQOmLuZvyfJV/r7Qwo/kmUgCg cardio:000MYCARDNUM
(RSA)
2048 SHA256:X3YiWulZ1xJlqGRFqeaQOmLuZvyfJV/r7Qwo/kmUgCg (none) (RSA)

without key grip in sshcontrol:
~/.gnupg$ ssh-add -l
error fetching identities for protocol 1: agent refused operation
2048 SHA256:X3YiWulZ1xJlqGRFqeaQOmLuZvyfJV/r7Qwo/kmUgCg cardno:000MYCARDNUM
(RSA)

Any ideas for also eliminating that error message, or understanding why its
there are appreciated.

As for the suggestion by the2nd at otpme.org regarding the scdaemon bug.
This sounded promising, but when I investigated a bit it seems that the
commit in that thread that indicated this issue might be fixed on master
(f42c50dbf00c2e6298ca6830cbe6d36805fa54a3) was committed on Dec 2, 2015,
and gnupg version 2.1.10 was tagged on Dec 4, 2015.  So that fix should
already be in the version of GnuPG I am using (2.1.10) and yet I am still
seeing a problem.

/tmp/gnupg (master ✔)$ git log f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
commit f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
Author: NIIBE Yutaka 
Date:   Thu Dec 3 11:26:24 2015 +0900

scd: Fix "Conflicting usage" bug.

* scd/apdu.c (apdu_close_reader): Call CLOSE_READER method even if we
  got an error from apdu_disconnect.
* scd/app-common.h (no_reuse): Remove.
* scd/app.c (application_notify_card_reset): Deallocate APP here.
(select_application, release_application): Don't use NO_REUSE.

--

Reproducible scenario: Invoke gpg --card-edit session from a terminal.
Invoke another gpg --card-edit session from another.  Remove a token.
Insert a token again.  Type RET on both terminals.  One of terminal
answers "Conflicting usage".

Perhaps, having NO_REUSE field was to avoid race conditions.  Now,
APP can be safely deallocated by application_notify_card_reset.

Thanks to the2nd.

I installed 2.1.10 from this homebrew recipe:

https://github.com/Homebrew/homebrew-versions/blob/master/gnupg21.rb

My SSH client is the one that comes with OS X 'El Capitan':

/tmp/gnupg (master ✔)$ ssh -V
OpenSSH_6.9p1, LibreSSL 2.1.8




On Fri, Jan 15, 2016 at 12:31 PM Simon Josefsson 
wrote:

> > > Why do you add the keygrip to the sshcontrol file?  I have never
> > > needed that step.  For me it uses the right key directly.  Is it
> > > because you have another (revoked) A subkey?  It sounds somewhat of
> > > sub-optimal behaviour for gpg-agent's SSH support to use a revoked
> > > key instead of the non-revoked key.
> >
> > I do have a revoked Authentication sub-key on my primary key, but I
> > no longer use it and that is also not why I added the keygrip entry to
> > sshcontrol file.  I added it at the suggestion of Werner in this post:
> >
> > https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> >
> > And these blog posts:
> > http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> > http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
> >
> > Is this suggestion outdated?
>
> I don't recall ever using it, and I've been using SSH with smartcards
> through gpg-agent for over 10 years.  What happens if you drop that
> part?  For me it has always selected the right subkey automatically.
>
> /Simon
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

2016-01-15 Thread Glenn Rempe 
On Fri, Jan 15, 2016 at 10:29:13AM +0100, Simon Josefsson wrote:
> Glenn Rempe  writes:
> 
> > I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey to
> > manage my gpg private keys and I am using that key for SSH auth.  I have it
> > all up and running but I ran into some issues as well so I wrote up a blog
> > post.  I'd appreciate any suggestions for improvement and especially for
> > any ideas for a better fix for the workaround I had to do that I documented
> > at the end of the post.  Maybe this will be of some use to those wanting to
> > use the latest gpg for SSH auth on a Mac with a Yubikey.
> >
> > https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/
> 
> Have you tried killing/restarting scdaemon only, not gpg-agent?
> 
> Try:
> 
> gpgconf --reload scdaemon
> 
> or
> 
> gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye

I am on OS X, and just so you know I have turned off the OS X system
scdaemon per this blog post (I did this before upgrading to GnuPG 2.1):

https://gpgtools.tenderapp.com/discussions/problems/28634-gpg-agent-stops-working-after-osx-upgrade-to-yosemite#comment_35808149

So I am using just the scdaemon embedded with GPG I believe.

I just tried your suggestion to reload the internal scdaemon with
'gpgconf --reload scdaemon' and that also worked just as well as killing
gpg-agent, and probably without some side effects, none of which I've
noticed yet. So that is a step in the right direction, but I still have to
run it every time I remove/reinsert the card and SSH to a remote host
or it fails with a 'Permission denied (publickey)' error. So this seems
like a step in the right direction, but I still have to use ControlPlane
to restart scdaemon on insert/remove events.

> 
> Why do you add the keygrip to the sshcontrol file?  I have never needed
> that step.  For me it uses the right key directly.  Is it because you
> have another (revoked) A subkey?  It sounds somewhat of sub-optimal
> behaviour for gpg-agent's SSH support to use a revoked key instead of
> the non-revoked key.

I do have a revoked Authentication sub-key on my primary key, but I
no longer use it and that is also not why I added the keygrip entry to
sshcontrol file.  I added it at the suggestion of Werner in this post:

https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html

And these blog posts:
http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key

Is this suggestion outdated?

> 
> /Simon



-- 
Glenn Rempe

email : gl...@rempe.us
voice : (415) 613-1653
twitter   : @grempe
gpg key id: 0xA4A288A3BECCAE17
gpg fingerprint   : 497A 6138 963D 6C47 202B  238B A4A2 88A3 BECC AE17


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

2016-01-15 Thread Simon Josefsson 
> > Why do you add the keygrip to the sshcontrol file?  I have never
> > needed that step.  For me it uses the right key directly.  Is it
> > because you have another (revoked) A subkey?  It sounds somewhat of
> > sub-optimal behaviour for gpg-agent's SSH support to use a revoked
> > key instead of the non-revoked key.
> 
> I do have a revoked Authentication sub-key on my primary key, but I
> no longer use it and that is also not why I added the keygrip entry to
> sshcontrol file.  I added it at the suggestion of Werner in this post:
> 
> https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> 
> And these blog posts:
> http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
> 
> Is this suggestion outdated?

I don't recall ever using it, and I've been using SSH with smartcards
through gpg-agent for over 10 years.  What happens if you drop that
part?  For me it has always selected the right subkey automatically.

/Simon


pgpfOOtgB7R5k.pgp
Description: OpenPGP digital signatur
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

2016-01-15 Thread the2nd 
You might hit this bug: 
http://lists.gnupg.org/pipermail/gnupg-users/2015-December/054756.html


On 2016-01-15 01:08, Glenn Rempe wrote:

I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey
to manage my gpg private keys and I am using that key for SSH auth. 
I have it all up and running but I ran into some issues as well so I
wrote up a blog post.  I'd appreciate any suggestions for improvement
and especially for any ideas for a better fix for the workaround I had
to do that I documented at the end of the post.  Maybe this will be
of some use to those wanting to use the latest gpg for SSH auth on a
Mac with a Yubikey.

https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/ [1]

Here is a discussion thread that describes *exactly* the issue I am
still having (if I don't use my workaround to kill and restart
gpg-agent on every yubikey insertion and deletion):

https://lists.gnupg.org/pipermail/gnupg-users/2015-June/053796.html
[2]

Glenn



Links:
--
[1] https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/
[2] https://lists.gnupg.org/pipermail/gnupg-users/2015-June/053796.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

2016-01-15 Thread Simon Josefsson 
Glenn Rempe  writes:

> I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey to
> manage my gpg private keys and I am using that key for SSH auth.  I have it
> all up and running but I ran into some issues as well so I wrote up a blog
> post.  I'd appreciate any suggestions for improvement and especially for
> any ideas for a better fix for the workaround I had to do that I documented
> at the end of the post.  Maybe this will be of some use to those wanting to
> use the latest gpg for SSH auth on a Mac with a Yubikey.
>
> https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/

Have you tried killing/restarting scdaemon only, not gpg-agent?

Try:

gpgconf --reload scdaemon

or

gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye

Why do you add the keygrip to the sshcontrol file?  I have never needed
that step.  For me it uses the right key directly.  Is it because you
have another (revoked) A subkey?  It sounds somewhat of sub-optimal
behaviour for gpg-agent's SSH support to use a revoked key instead of
the non-revoked key.

/Simon


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Yubikey, GnuPG 2.1 Modern, and SSH on OS X

2016-01-14 Thread Glenn Rempe 
I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey to
manage my gpg private keys and I am using that key for SSH auth.  I have it
all up and running but I ran into some issues as well so I wrote up a blog
post.  I'd appreciate any suggestions for improvement and especially for
any ideas for a better fix for the workaround I had to do that I documented
at the end of the post.  Maybe this will be of some use to those wanting to
use the latest gpg for SSH auth on a Mac with a Yubikey.

https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/

Here is a discussion thread that describes *exactly* the issue I am still
having (if I don't use my workaround to kill and restart gpg-agent on every
yubikey insertion and deletion):

https://lists.gnupg.org/pipermail/gnupg-users/2015-June/053796.html

Glenn
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users