Most if not all gnupg packages (Linux and OS X) come with at least one pinentry app. There are various pinentry apps out there, some text mode, some GUI, you can mix and match, and just use the right path in the pinentry line. If you're on Linux, or on OS X with gnupg from Homebrew, remove it. The pinentry line is for OS X with GPGTools. Pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac The config file is ~/.gnupg/nf and a typical content is: You need to configure gpg-agent on your laptop or desktop to run in ssh-agent emulation mode. Configure the client system to use the smartcard Then upload the public key to the instances where you need to authenticate, and append it to ~/.ssh/authorized_keys. You may have to edit the 3rd field in the key file and replace it with your username or email address, but that's optional. The private key will remain on the card forever. The card now has your public and private SSH keys stored. choose the 'generate' option, then quit. To generate a new pair of public / private SSH keys: After 3 failed attempts to guess the admin PIN, the card is dead forever. It is recommended to change these PINs.Īfter 3 failed attempts to guess the user PIN, the card locks itself up and you need to unlock it ( gpg -change-pin) using the admin PIN. The token comes with two PINs: the user PIN, default value "123456" and the admin PIN, default value "12345678". Take a look at man gpg or man gpg2 for the options: -card-edit, -card-status, -change-pin. To manage the smartcard, change PINs, and generate the keys, you will use the main gpg (or gpg2) app from the package. GPGTools is preferred, since it launches gpg-agent automatically for you, and comes with a nice GUI-based pinentry program, but the Homebrew package also works. On OS X, you have two choices: download and install GPGTools, or install gnupg from Homebrew. On Linux, use the various package managers that come with your distribution. I've tested this with Linux and Mac OS X clients. NEO as a smartcard Install software, generate keys It requires gpg-agent (part of the gnupg package) to interface with other apps such as ssh clients, etc. smartcard storing various encryption certificates or SSH keys. This is supported by Google in recent versions of Chrome, and can be used to authenticate users on various websites using a physical token. This could be used with the appropriate backend to authenticate users on web sites, VPN connections, etc. When you touch the gold sensor, it "prints out" a string of characters that represents the OTP. The token is equivalent to a USB keyboard. It's a mini-format USB token, flat as cardboard, small enough you could carry it on a keychain. The YubiKey NEO, made by Yubico, is one such device. Easy, and probably more secure than the usual methods for storing private keys, in most scenarios. When you're done, simply remove the token that carries the smartcard from USB. A PIN is required for the card to work, and the card will lock-up after 3 attempts at guessing the PIN, therefore rendering brute-force or dictionary attacks impossible. Even during authentication, the private key remains on the card - and authentication itself is offloaded to the card. One of these is the use of a smartcard to generate and store the key.Ī smartcard is a device that can generate a pair of public and private keys, allows you to extract the public key, but keeps the private key stored on the card. There are several ways that the private key can be protected. But the security of your private key becomes a crucial factor. Public / private key authentication for SSH works well, and is usually an improvement over the usual password authentication, both in terms of security and convenience. Here's a way to improve the security of your private SSH keys using a cheap smartcard.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |