gpg-agent forwarding: inappropriate ioctl for device - gpg-agent

I'm trying to setup gpg-agent forwarding in order to use pass (https://www.passwordstore.org) via ssh.
gpg version 2.2.9 both on local and remote hosts, installed by instructions:
https://gist.github.com/vt0r/a2f8c0bcb1400131ff51
On local machine
$HOME/.gnupg/gpg-agent.conf
extra-socket /home/mickey/.gnupg/S.gpg-agent.remote
Reload agent
echo RELOADAGENT | gpg-connect-agent
Export public key
gpg --export -a mickey > mickey.gpg
Sign test data
echo "test" | gpg2 --encrypt -r mickey > out.gpg
Send public key and signed data
scp *.gpg REMOTE_HOST:
Create ssh session with reverse forwarding
ssh -R /run/user/1002/gnupg/S.gpg-agent:/home/mickey/.gnupg/S.gpg-agent.remote -o "StreamLocalBindUnlink=yes" REMOTE_HOST
On remote machine
Import public key
gpg --import mickey.gpg
Trust this key ultimately
gpg --edit-key mickey
trust 5 quit
Try to decrypt
gpg --decrypt -v out.gpg
Output
gpg: public key is FED6243A3325C554
gpg: connection to agent is in restricted mode
gpg: using subkey FED6243A3325C554 instead of primary key 9E2ED69A02554504
gpg: using subkey FED6243A3325C554 instead of primary key 9E2ED69A02554504
gpg: encrypted with 2048-bit RSA key, ID FED6243A3325C554, created 2018-07-23
"mickey"
gpg: public key decryption failed: Inappropriate ioctl for device
gpg: decryption failed: No secret key
So, agent socket forwarding is working, seems there are some problems with pinentry program. Could not find anything that worked for me in google.
UPD
Tried to add pinentry-program /usr/bin/pinentry-tty to gpg-agent.conf, new error:
gpg: public key decryption failed: Invalid IPC response
gpg: decryption failed: No secret key

It happens when GPG is confused where to read input from. Simply configuring it to look for input from tty (the terminal connected to standard input) fixes it:
export GPG_TTY=$(tty)

This method does not work when you are inside an LXC container. Instead, add this to ~/.gnupg/gpg.conf:
use-agent
pinentry-mode loopback
Then add this to ~/.gnupg/gpg-agent.conf
allow-loopback-pinentry
Then restart the agent with echo RELOADAGENT | gpg-connect-agent.
(source)

When running gpg from a script, the --batch argument must be provided.

Related

Permission denied (publickey) trying to SSH into CircleCI job

I followed the steps of this doc: https://circleci.com/docs/add-ssh-key#circleci-cloud-or-server-3-x
I generated my key:
ssh-keygen -m PEM -t rsa -C "myname#myemail.com"
I copied the content of .ssh/id_ed25519, went to Project Settings > SSH Keys > Additional SHH Keys, and pasted the content of my Key.
However, when I try to ssh I receive the following error:
ssh -p 54782 x.x.x.130
The authenticity of host '[x.x.x.130]:54782 ([x.x.x.x]:54782)' can't be established.
ED25519 key fingerprint is SHA256:xxx
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[x.x.x.130]:54782' (ED25519) to the list of known hosts.
myname#x.x.x.130: Permission denied (publickey).
I will appreciate your help. Thanks
The instructions you followed are for something else; they are about adding an SSH key to the project in case you need to SSH into remote servers from within a job.
If you want to SSH into your job, you need to add the key you generated on your local machine to your VCS (GitHub or Bitbucket) account.

ESXi keeps prompting for password after adding ssh public key to authorized_keys

I want to add my ssh public key to the ESXi 7 host, so that I can login via ssh without using password.
But the esx host keep prompting me for the password.
I have tried the following:
Scenario A
When using the "normal" way of adding ssh keys to a host.
Make a ssh key pair with ssh-keygen -t rsa
Push ssh public key to ESXi host with ssh-copy-id root#esx.host
Now try login to esx host using ssh root#esx.host
This will prompt you for a password again.
Reason for failing
The ssh key is added to the esx hosts ~/.ssh/authorized_keys - but the SSH service, expect to find the keys in /etc/ssh/keys-root/authorized_keys.
Scenario B
Adding the the right place
Copy the key into esx by cat ~/.ssh/id_rsa.pub | ssh root#esx.host 'cat >>/etc/ssh/keys-root/authorized_keys'
Try login again with ssh root#esx.host
Still asking for password.
Scenario B is failing for a reason
Reason for failing
The ssh key is generated with by default 2048 bits, but should be 4096 bits.
Final Solution
# Generate the 4096 ssh key
ssh-keygen -t rsa -b 4096
# Copy the public key the right place on the esx host
cat ~/.ssh/id_rsa.pub | ssh root#esx.host 'cat >>/etc/ssh/keys-root/authorized_keys'
# Then login
ssh root#esx.host
Tada - now logged in without using password
Password:
The time and date of this login have been sent to the system logs.
WARNING:
All commands run on the ESXi shell are logged and may be included in
support bundles. Do not provide passwords directly on the command line.
Most tools can prompt for secrets or accept them from standard input.
VMware offers supported, powerful system administration tools. Please
see www.vmware.com/go/sysadmintools for details.
The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.
[root#esx.host:~]

Paramiko authentication with certificate and oprivate key

I have a linux device which supports authentication with a certificate and a private key.
I have tried to connect with:
k = paramiko.RSAKey.from_private_key_fil("path to privte key")
client.connect(server,port,user, key_filename ="path to certificate file", pkey=k)
I cannot connect in any way to the device.
Under windows with OPEN SSH I can connect to the device with :
ssh root#192.168.0.2 -p 22 -o IdentityFile=C:\client_key\client_key -o CertificateFile=C:\client_key\OTCsigned_certificate
I have solved the issue by :
Renaming the key and the certificate as id_rsa and id_rsa-cert.pub.
At argument key_filename i passed the certificate and alongside with it the paramiko loads also the private key.
It is finally working.
Br,

How to move my current using ssh key into Yubikey?

I'm using Yubikey 5 NFC and want to move my openssh key into it so that I can authenticate for ssh login via this Yubikey.
Maybe you will suggest to generate a new gpg keypair for Yubikey and use the gpg-agent instead of ssh-agent to authenticate. But I still want to move my current ssh private key into Yubikey because this way I don't have to edit authorized_keys everywhere.
I tried to do this following this article:
https://www.mvps.net/docs/how-to-add-your-existing-ssh-key-to-yubikey-via-openpgp/
which suggest to use pem2openpgp from monkeysphere to translate my ssh key into gpg key and somehow write this translated gpg key into Yubikey (via keytocard command of gpg).
But after all these done. I find that the fingerprint of my ssh key is changed, this is confirmed by following command:
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
$ ssh-add -l
And the fact that the fingerprint changed makes using my current ssh key meaningless -- I still need to edit authorized_keys everywhere to make the "new public key" work.
So is there any other way which can write my old ssh key into Yubikey and keep the old key's fingerprint?

Command to send public key to remote host

I remember there is a command to send public key to the remote host that I want. I want to use that feature to send one of my public keys to the other host. How can I do that?
You are looking for ssh-copy-id. All this command does is create .ssh and .ssh/authorized_keys and set their permissions appropriately if they don't exist. Then it appends your public key to the end of .ssh/authorized_keys.
You might be looking for this command:
cat ~/.ssh/id_rsa.pub | ssh user#hostname 'cat >> .ssh/authorized_keys'
It appends your public key to the servers authorized keys.
Source
If your server is already set up to not accept password-based login, you might get a Permission denied (publickey) error.
This is another method to send the key, using netcat, so you don't have to authenticate. It will only work over a local network, but you can use port forwarding to do this over the internet.
On the server:
$ nc -l 55555 >> ~/.ssh/authorized_keys
On the client (replace HOSTNAME with the hostname or IP of the server):
$ nc HOSTNAME 55555 < ~/.ssh/id_rsa.pub
You can replace 55555 with an open port of your choice.
source: chat over lan from linux to linux?
Appendix for total newbies: I don't think anyone's mentioned this yet, but if you get ERROR: failed to open ID file '/home/username/.pub': No such file, you need to generate a key first. The Ubuntu help pages have a great guide on Generating RSA Keys.
In other answers there's no example for ssh-copy-id so here it is(first you need to generate the key)
ssh-copy-id user#url