spwhitton/ blog/ entry/ Upgrading my SSH security with gpg-agent
Michael Dummett, philosopher, 1925--2011 | Notes from the Library | Pyblosxom 1.5 released, upgraded

Recently got told off for using password-less SSH keys, with the excuse that they’re all stored on an encrypted hard drive—this isn’t even true anymore, though, since my desktop HDD isn’t encrypted like it used to be.

I’ve also learned that gpg-agent can also do SSH keys. Since I run gpg-agent all the time anyway for signing e-mail messages, it’s easy to have it doing SSH keys too. Using SSH agent forwarding, only my local machine has to see any keys. Anything from Emacs to a terminal SSHing out from my local machine will pop up an X11 password entry dialog (if the key isn’t cached already), and if I ssh from a remote machine to somewhere else, the same X11 dialog will pop up as the agent gets tunneled back automatically.

With the key only stored on two local machines, there’s no need for loads of SSH keys to selectively disable in the case of compromise: one for my two trusted machines, another for use with PuTTY on friends’ machines, and another for my git server on untrusted machines.

Daemon setup

Put this in .xinitrc to get gpg-agent running (from the Arch Wiki):

gnupginf="${HOME}/.gnupg/gpg-agent.info"

if pgrep -u "${USER}" gpg-agent >/dev/null 2>&1; then
    eval `cat $gnupginf`
    eval `cut -d= -f1 $gnupginf | xargs echo export`
else
    eval `gpg-agent --enable-ssh-support --daemon`
fi

~/.gnupg/gpg-agent.conf:

,# Cache settings
default-cache-ttl 10800
default-cache-ttl-ssh 10800

,# Environment file
write-env-file /home/swhitton/.gnupg/gpg-agent.info

,# Keyboard control
,#no-grab

,# PIN entry program
,#pinentry-program /usr/bin/pinentry-curses
,#pinentry-program /usr/bin/pinentry-qt4
pinentry-program /usr/bin/pinentry-gtk-2

In .ssh/config add the line ForwardAgent yes under connections to trusted machines that can re-use your authentication. You will want ForwardAgent no under Host * but make sure this block comes at the end of .ssh/config or the ‘no’ will take precedence over the ‘yes’.

Key setup

I’d like to follow Arch Wiki’s advice to use an ecdsa key, but sshd on Debian Stable doesn’t support this atm, so we’re going with RSA. Because of how we are going to use gpg-agent, the key can and should have a long and random and inconvenient passphrase—it is only going to be typed once per OS installation. I’m using a 20 char one generated by my password manager yapet. Default key length is fine.

$ ssh-keygen -t rsa -C"$(id -un)@$(hostname)-$(date --rfc-3339=date)"

Put the key on the remote server using existing key setup:

$ ssh-copy-id athena

This should now be the default key but it’s easier to add it to .ssh/config:

Host athena
...
ForwardAgent yes
IdentityFile ~/.ssh/id_rsa

We now need to add the key to gpg-agent. Restart your X session to get it running and then execute

$ ssh-add .ssh/id_rsa

You’ll have to type in your long passphrase, and then you’ll be prompted (twice ofc) for a new one by gpg-agent. This is the passphrase you’ll be typing on a regular basis to unlock the ssh key for use, so make it more practical/memorable.

That’s it, everything should work. Time for me to go and clean up my extremely messy ~/.ssh/ on various machines to complete the setup.