User Tools

Site Tools


wiki:advanced:authentication:passwordless-gpg-card

X2Go Client smartcard HowTo

The concept of GnuPG smartcard authentication

FixMe

GPG card configuration

user@x2goclient$ gpg --card-edit
Application ID ...: D2760001240102000000000000420000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000042
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Max. PIN lengths .: 24 24 24
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
Command> admin
Admin commands are allowed
Command> sex
Sex ((M)ale, (F)emale or space): M
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Admin PIN
Command> login
Login data (account name): beispielb
Command> generate
Make off-card backup of encryption key? (Y/n) n

Please note that the factory settings of the PINs are
  PIN = `123456'     Admin PIN = `12345678'
You should change them using the command --change-pin


PIN
Please specify how long the key should be valid.
        0 = key does not expire
     <n>  = key expires in n days
     <n>w = key expires in n weeks
     <n>m = key expires in n months
     <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
   "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Bert Beispiel
Email address: bert.beispiel@x2go-test.org
Comment: Test user
You selected this USER-ID:
   "Bert Beispiel (Test user) <bert.beispiel@x2go-test.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (17 seconds)
gpg: signatures created so far: 0
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (14 seconds)
gpg: signatures created so far: 1
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (13 seconds)
gpg: signatures created so far: 3
gpg: signatures created so far: 4
gpg: key 8CE52B35 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:   8  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 8u
pub   1024R/8CE52B35 2009-09-24
     Key fingerprint = 2475 8498 7FF4 2727 B476  F72E 7BF2 CFE9 8CE5 2B35
uid                  Bert Beispiel (Test user) <bert.beispiel@x2go-test.org>
sub   1024R/C7151669 2009-09-24
sub   1024R/593801C0 2009-09-24
Command> quit

IMPORTANT: login Name is a name of user on remote system

Be sure, that pinentry-x2go is installed. For test purposes you can use other pinentry program, but for x2goclient pinentry-x2go is required

user@x2goclient$ gpg-agent --enable-ssh-support --daemon --pinentry-program /usr/bin/pinentry-x2go
GPG_AGENT_INFO=/tmp/gpg-Xh4lY7/S.gpg-agent:24620:1; export GPG_AGENT_INFO;
SSH_AUTH_SOCK=/tmp/gpg-LO41WU/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
SSH_AGENT_PID=24620; export SSH_AGENT_PID;

Export SSH environment variables (copy gpg-agent output in console)

user@x2goclient$ GPG_AGENT_INFO=/tmp/gpg-Xh4lY7/S.gpg-agent:24620:1;
export GPG_AGENT_INFO;
user@x2goclient$ SSH_AUTH_SOCK=/tmp/gpg-LO41WU/S.gpg-agent.ssh; export
SSH_AUTH_SOCK;
user@x2goclient$ SSH_AGENT_PID=24620; export SSH_AGENT_PID;

You can check the key on your smart card with command:

user@x2goclient$ ssh-add -l
1024 ef:d5:8c:37:cb:38:01:8d:c2:30:00:ac:93:a2:43:98 cardno:000000000042(RSA)

Copy public part of your key to remote computer

user@x2goclient$ ssh-copy-id beispielb@x2goserver
beispielb@x2goserver's password:

Now try logging into the machine, with “ssh 'beispielb@x2goserver'”, and check in:

 .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

Testing ssh connection

user@x2goclient$ ssh  beispielb@x2goserver
Last login: Thu Sep 24 22:00:50 2009 from x2goclient
beispielb@x2goserver:~$ exit

stop gpg-agent:

user@x2goclient$ kill $SSH_AGENT_PID

Start X2Go Client with GnuPG SmartCard Support

Using smart card authentication with x2goclient

user@x2goclient$ x2goclient --pgp-card
wiki/advanced/authentication/passwordless-gpg-card.txt · Last modified: 2014/04/14 06:08 by sunweaver