This is the situation.
I’m a OSX user and I’ve been using GPG for a long time for email and just wanted to jump into do it for log in using SSH on the machines I need access to, avoiding typing password (BTW, you can do this editing your remote
/.ssh/authorized_keys file and adding up your public SSH key) and increasing one layer of security.
After following some recommendations, I got a FST-01. This dude is a GnuPG USB token, who can store my private keys in a secure way. I have it with me wherever I go. But you need to instruct your computer to use the token and not your own local keys. I just followed this very well documented guide from Glenn Rempe but I did some tweaks to it:
So, I’m assuming here you already set up your USB token. What I did it was somewhat similar to what is explained here, but I haven’t checked carefully. Maybe I should post about it later on.
Anyway, first of all you need to install this:
brew tap homebrew/versions
brew install gnupg21
brew install pinentry-mac
> Pinentry-mac is a tool will ask you for your secret pin to unlock your private keys on your token.
Then, you need to edit your
~/.gnupg/gpg-agent.conf file, to include both the location of pinentry-mac and to enable the ssh support as follows:
I use this great fish shell. So, you need to instruct fish to load the
.gnupg/S.gpg-agent.ssh in every fish session, editing your Fish config file (usually in
.config/fish/config.fish) adding up one line to it. This is how my local
config.fish looks file:
set -g -x PATH /usr/local/bin $PATH
Remove your token and:
/usr/local/bin/gpgconf --kill gpg-agent && /usr/local/bin/gpgconf --launch gpg-agent
Then insert your token again. If everything is OK, running
gpg2 --card-status it should show you the information within your token.
ssh-add -L you should see displayed the public key coming from your token to be added to your remote
/.ssh/authorized_keys. Now you may login with
ssh user@remote-ip with your token and voilà.