This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
osx:start [2019/02/25 14:40] robm [VPN over SSH] Add instructions for automating via SSH config files |
osx:start [2019/05/23 09:36] robm [GPG with remote forwarding] |
||
---|---|---|---|
Line 756: | Line 756: | ||
===== Automating via SSH configuration files ===== | ===== Automating via SSH configuration files ===== | ||
+ | |||
+ | <note important> | ||
- **As root** on your client system, generate a new SSH keypair to use for VPN. < | - **As root** on your client system, generate a new SSH keypair to use for VPN. < | ||
Line 801: | Line 803: | ||
route delete 10/8 $GATEWAY | route delete 10/8 $GATEWAY | ||
route delete $REMOTE_HOST $GATEWAY | route delete $REMOTE_HOST $GATEWAY | ||
- | ) &</ | + | ) &</ |
- Make the new script executable: < | - Make the new script executable: < | ||
- Test it by running < | - Test it by running < | ||
Line 901: | Line 903: | ||
brew cask install smcfancontrol | brew cask install smcfancontrol | ||
+ | |||
+ | ====== GPG with remote forwarding ====== | ||
+ | |||
+ | GPG Agent forwarding allows a remote system to access secrets held in your local system via an SSH tunnel. When you are not connected to the remote system, it cannot access your secrets, and if the remote system is compromised your secrets are not (since they are never stored on it). | ||
+ | |||
+ | My (initial) use-case is to allow docker on a remote host to store login my login credentials (so I can push/pull images when working), but not store secrets on that hose. THe default behaviour is to store my password in plain text, which is unacceptable. | ||
+ | |||
+ | So I opted to use [[https:// | ||
+ | |||
+ | So I want to use GPG agent forwarding to allow '' | ||
+ | |||
+ | Overview (notes to follow, I hope): | ||
+ | |||
+ | - Install GPG locally and create an identity | ||
+ | - Ensure that passphrase challenge (" | ||
+ | - Install GPG on remote, and import public key | ||
+ | - Configure SSH to forward agent socket | ||
+ | - Disable systemd stuff which creates (unused) gpg sockets and/or configure SSHd to allow you to delete and recreate those sockets | ||
+ | |||
+ | Gotchas to document: | ||
+ | |||
+ | Invalid ioctl for device means the GPG agent was attempting to open a TTY. The agent lives on my MacBook, but the request comes from a remote system. So the remote system' | ||
+ | |||
+ | https:// | ||
+ | |||
+ | - '' | ||
+ | - Append to '' | ||
+ | source ~/ | ||
+ | export GPG_AGENT_INFO | ||
+ | else | ||
+ | eval $(gpg-agent --daemon --write-env-file ~/ | ||
+ | fi</ | ||
+ | - Create/ | ||
+ | - '' | ||
+ | - '' | ||
+ | - '' | ||
+ | pinentry-program / | ||
+ | default-cache-ttl 600 | ||
+ | max-cache-ttl 7200</ | ||
+ | |||
+ | https:// | ||
+ | |||
+ | Testcase: | ||
+ | |||
+ | < | ||