GPGTools+SSH+Yubikey+MacOS中文教程

还在手动输入用户名密码登录ssh被pandada嘲讽后,一鼓作气换成GPGTools+ssh+yubikey
中间走了不少弯路,写下来望各位绕道而行


GPGTools

1.安装GPGTools

Mac用户在GPGTools官网下载,这是一款GUI的GPG管理软件,也会自动装上gpg-agent无需另行下载

Yubikey

1.安装Yubikey管理软件

$ brew install yubikey-personalization

2.插入Yubikey

3.设置Yubikey为OTP and OpenPGP模式

$ ykpersonalize -m82

4.重新设置Yubikey的PIN码(Admin PIN和PIN初始都为123456)

按照下列指令输入

$ gpg --card-edit
<省略中间Yubikey信息>

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 3

输入完成后会弹出GUI要求输入初始Admin PIN,这个时候输入123456,然后要求你输入新的Admin PIN。

修改Admin PIN完成后显示以下回显,选择1

PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1

输入完成后会弹出GUI要求输入初始PIN,这个时候输入123456,然后要求你输入新的PIN。

PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q 


Generate keys

1.生成公私钥

$ gpg --card-edit
gpg/card> admin
gpg/card> generate
Make off-card backup of encryption key? (Y/n) Y

<输入Admin PIN>
<输入PIN>

Please specify how long the key should be valid.
            0 = key does not expire
         <n>  = key expires in n days
         <n>w = key expires in n weeks
         <n>m = key expires in n months
         <n>y = key expires in n years
Key is valid for? (0) 1y <密钥有效期一年>
<省略密钥信息>
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: <随意写就好>
Email address: <邮箱>
Comment: <可选>
You selected this USER-ID:
<接下来需要花几分钟生成keys>

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (45 seconds)
gpg: signatures created so far: 0
gpg: signatures created so far: 0
You need a Passphrase to protect your secret key.
<弹出GUI要求输入密码保护secret key>


gpg: signatures created so far: 2
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (25 seconds)
gpg: signatures created so far: 4
gpg: signatures created so far: 4
gpg: key <key ID> marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/79C56617 2015-08-25
Key fingerprint = ...
uid   ...
sub   2048R/... ...
sub   2048R/... ...

2.导出公钥

gpg --armor --export <key ID> > ~/my_gpg_public_key.pub

3.运行安装好的GPG Keychain,并且在该公钥右键选择Generate Revoke Certificate,如果你弄丢了Yubikey,就需要这个来撤销

4.右键该公钥选择Send public key to Keyserver


gpg-agent config

1.配置gpg-agent.conf

$ vim ~/.gnupg/gpg-agent.conf

接下来复制粘贴以下内容

pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200
enable-ssh-support

2.配置gpg-agent自启

$ vim ~/.bash_profile
#根据shell的不同自己选择配置文件

在末尾添加

GPG_TTY=$(tty)
export GPG_TTY
if [ -f "${HOME}/.gpg-agent-info" ]; then
    . "${HOME}/.gpg-agent-info"
    export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
fi

RESULT=`pgrep -x "gpg-agent"`
#echo ${RESULT};
if [ "${RESULT}" > /dev/null ]; then
else
    eval $(gpg-agent --daemon --enable-ssh-support)
fi

它的作用是先告诉ssh我要用gpg-agent,再看看gpg-agent是否在运行,如果没有,就运行gpg-agent

ssh config

1.导出公钥成ssh可理解的形式

$ gpg --export-ssh-key <key ID> > ~/ssh_public_key.pub

2.上传公钥到要登录的服务器

$ scp -P 22 ~/ssh_public_key.pub <用户名>@<ip>:~/

3.登录服务器,将上传的公钥放在.ssh目录下并更名,赋予权限

<登录步骤省略>

$ mv ~/ssh_public_key ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
$ chmod 700 ~/.ssh

4.修改ssh配置文件

$ vim /etc/ssh/sshd_config

然后找到RSAAuthenticationPubkeyAuthentication,去掉注释,并把后面跟随值改为yes,如果没有这一项则手动添加

RSAAuthentication yes
PubkeyAuthentication yes

最后重启sshd服务

$ service sshd restart

当你使用密钥登录后,可以去sshd_config文件把PasswordAuthentication值设置为no

现在你每次登录都需要插入Yubikey,并且会弹出GUI让你输入PIN码,如果输入正确,会有一段时间的cache保证下次登录不需要输入PIN。

发表评论

发表评论

*

沙发空缺中,还不快抢~