GPGTools+SSH+Yubikey+MacOS中文教程
还在手动输入用户名密码登录ssh被pandada嘲讽后,一鼓作气换成GPGTools+ssh+yubikey
中间走了不少弯路,写下来望各位绕道而行
GPGTools
1.安装GPGTools
Mac用户在GPGTools官网下载,这是一款GUI的GPG管理软件,也会自动装上gpg-agent无需另行下载
Yubikey
1.安装Yubikey管理软件
$ brew install yubikey-personalization
2.插入Yubikey
3.设置Yubikey为OTP and OpenPGP模式
$ ykpersonalize -m82
4.重新设置Yubikey的PIN码(Admin PIN和PIN初始都为123456)
按照下列指令输入
$ gpg --card-edit <省略中间Yubikey信息> gpg/card> admin Admin commands are allowed gpg/card> passwd 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 3
输入完成后会弹出GUI要求输入初始Admin PIN,这个时候输入123456,然后要求你输入新的Admin PIN。
修改Admin PIN完成后显示以下回显,选择1
PIN changed. 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 1
输入完成后会弹出GUI要求输入初始PIN,这个时候输入123456,然后要求你输入新的PIN。
PIN changed. 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? q
Generate keys
1.生成公私钥
$ gpg --card-edit
gpg/card> admin
gpg/card> generate
Make off-card backup of encryption key? (Y/n) Y
<输入Admin PIN>
<输入PIN>
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y <密钥有效期一年>
<省略密钥信息>
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <[email protected]>"
Real name: <随意写就好>
Email address: <邮箱>
Comment: <可选>
You selected this USER-ID:
<接下来需要花几分钟生成keys>
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (45 seconds)
gpg: signatures created so far: 0
gpg: signatures created so far: 0
You need a Passphrase to protect your secret key.
<弹出GUI要求输入密码保护secret key>
gpg: signatures created so far: 2
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (25 seconds)
gpg: signatures created so far: 4
gpg: signatures created so far: 4
gpg: key marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/79C56617 2015-08-25
Key fingerprint = ...
uid ...
sub 2048R/... ...
sub 2048R/... ...
</[email protected]>
2.导出公钥
gpg --armor --export > ~/my_gpg_public_key.pub
3.运行安装好的GPG Keychain,并且在该公钥右键选择Generate Revoke Certificate,如果你弄丢了Yubikey,就需要这个来撤销
4.右键该公钥选择Send public key to Keyserver
gpg-agent config
1.配置gpg-agent.conf
$ vim ~/.gnupg/gpg-agent.conf
接下来复制粘贴以下内容
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac default-cache-ttl 600 max-cache-ttl 7200 enable-ssh-support
2.配置gpg-agent自启
$ vim ~/.bash_profile #根据shell的不同自己选择配置文件
在末尾添加
GPG_TTY=$(tty)
export GPG_TTY
if [ -f "${HOME}/.gpg-agent-info" ]; then
. "${HOME}/.gpg-agent-info"
export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
fi
RESULT=`pgrep -x "gpg-agent"`
#echo ${RESULT};
if [ "${RESULT}" > /dev/null ]; then
else
eval $(gpg-agent --daemon --enable-ssh-support)
fi
它的作用是先告诉ssh我要用gpg-agent,再看看gpg-agent是否在运行,如果没有,就运行gpg-agent
ssh config
1.导出公钥成ssh可理解的形式
$ gpg --export-ssh-key > ~/ssh_public_key.pub
2.上传公钥到要登录的服务器
$ scp -P 22 ~/ssh_public_key.pub <用户名>@:~/
3.登录服务器,将上传的公钥放在.ssh目录下并更名,赋予权限
<登录步骤省略>
$ mv ~/ssh_public_key ~/.ssh/authorized_keys $ chmod 600 ~/.ssh/authorized_keys $ chmod 700 ~/.ssh
4.修改ssh配置文件
$ vim /etc/ssh/sshd_config
然后找到RSAAuthentication和PubkeyAuthentication,去掉注释,并把后面跟随值改为yes,如果没有这一项则手动添加
RSAAuthentication yes PubkeyAuthentication yes
最后重启sshd服务
$ service sshd restart
当你使用密钥登录后,可以去sshd_config文件把PasswordAuthentication值设置为no
现在你每次登录都需要插入Yubikey,并且会弹出GUI让你输入PIN码,如果输入正确,会有一段时间的cache保证下次登录不需要输入PIN。