出于安全偷懒考虑, 最终还是购买了 YubiKey. 以下为设置记录.
2019-07-16 购买了我的第一枚 YubiKey 5C Nano, 这是一枚 USB-C 接口的物理安全密钥. 最近查询到新版本已支持 ED25519, 而我的 5C Nano 固件版本低于最低支持版本, 所以又再次购买了一枚.
配置环境
首先需要安装相关工具及应用.
brew install gnupg2 pinentry-mac
初始化
在配置它之前应该先初始化一次, 如果是全新可忽略此步骤.
cat@CATs-iMac ~ % gpg --card-edit //
gpg/card> admin
gpg/card> factory-reset
gpg-agent[21944]: card has S/N: XYZ*****************00
gpg: OpenPGP card no. XYZ*****************00 detected
gpg: Note: This command destroys all keys stored on the card!
Continue? (y/N) y
Really do a factory reset? (enter "yes") yes
更改默认密码
记住修改默认密码, 分为六位数用户密码以及八位数管理员密码.
gpg/card> passwd
gpg-agent: card has S/N: XYZ*****************00
gpg: OpenPGP card no. XYZ*****************00 detected
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 3
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 1
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
生成 Keys
输入 key-attr 命令来确保生成的是 ED25519 而不是默认的 RSA.
重要提示: 虽然看起来命令在重复, 但这是在配置不同的 Key.
gpg/card> key-attr
Changing card key attribute for: Signature key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? 2
Please select which elliptic curve you want:
(1) Curve 25519 _default_
(4) NIST P-384
(6) Brainpool P-256
Your selection? 1
The card will now be re-configured to generate a key of type: ed25519
Note: There is no guarantee that the card supports the requested
key type or size. If the key generation does not succeed,
please check the documentation of your card to see which
key types and sizes are supported.
Changing card key attribute for: Encryption key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? 2
Please select which elliptic curve you want:
(1) Curve 25519 \_default*
(4) NIST P-384
(6) Brainpool P-256
Your selection? 1
The card will now be re-configured to generate a key of type: cv25519
Changing card key attribute for: Authentication key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? 2
Please select which elliptic curve you want:
(1) Curve 25519 \_default*
(4) NIST P-384
(6) Brainpool P-256
Your selection? 1
The card will now be re-configured to generate a key of type: ed25519
配置 Key
gpg/card> generate
Make off-card backup of encryption key? (Y/n) n
gpg: Note: keys are already stored on the card!
Replace existing keys? (y/N) y
Please note that the factory settings of the PINs are
PIN = '123456' Admin PIN = '12345678'
You should change them using the command --change-pin
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Example Name
Email address: [email protected]
Comment:
You selected this USER-ID:
"Example Name <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: key marked as ultimately trusted
gpg: revocation certificate stored as '/Users/exmaple/.gnupg/openpgp-revocs.d/example.rev'
public and secret key created and signed.
完成配置, 退出会话.
gpg/card> q
SSH相关
设置 ~/.gnupg/gpg-agent.conf
// Apple silicon
pinentry-program /opt/homebrew/bin/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200
enable-ssh-support
// Apple Intel
pinentry-program /usr/local/bin/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200
enable-ssh-support
配置 ~/.zshrc & ~./bashrc
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
设置 ~/.zsh_profile 或 ~/.bash_profile
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh
关闭 Terminal 并重启, 查看公钥并导出.
gpg-connect-agent killagent /bye
gpg-connect-agent updatestartuptty /bye
gpg-connect-agent /bye
gpg --card-status
ssh-add -L
ssh-add -L > ~/.ssh/yubikey_gpg.pub
服务端设置
编辑用户 key
~/.ssh/authorized_keys
修改 SSH 配置
~/etc/ssh/sshd_config
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PasswordAuthentication no
重启 SSH 服务
systemctl restart sshd.service
设置权限
chmod -R 700 .ssh
chmod 600 .ssh/authorized_keys
