SSH - Nitrokey Documentation (original) (raw)

Back to top

This guide explains how to prepare your SSH server and client for use with the Nitrokey. For configuring PuTTY, see this guide:

The Nitrokey should already have PGP keys installed and the local GnuPG keyring should know the keys.

Preparation on client

unset SSH_AGENT_PID if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne ]; then export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" fi

Preparation for the server

You can generate an authorized_keys file by running either

gpg2 --export-ssh-key keyID >> ~/authorized_keys

where

is the subkey id being used for authentication on your Nitrokey. The Nitrokey must already be known to the local GnuPG keyring. You can now append that file to a remote server’s authorized_keys and when you ssh to the server you’ll be asked for a pin rather than a passphrase.

Troubleshooting

If you are still being asked for a password please make sure that

returns something like ‘/run/user/1000/gnupg/S.gpg-agent.ssh’ or ‘/home/username/.gnupg/.S.gpg-agent.ssh’. Unfortunately there were some changes in GnuPG in the past so that the actual content can differ from system and GnuPG version. On some systems there may are even multiple folders in this variable saved. You have to adapt the above given code in .bashrc so that the variable SSH_AUTH_SOCK is correct. In doubt look for ‘SSH_AUTH_SOCK’ in

to find the actual code for your version/system.

You may check if you have a ‘pinentry’ program installed via your package manager. You may need to set it in the gpg-agent.conf as well. You may need to point gpg-agent to the correct TTY.