User Tools

Site Tools


osx:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
osx:start [2019/02/25 14:42]
robm [Automating via SSH configuration files]
osx:start [2019/05/23 10:36] (current)
robm [GPG with remote forwarding]
Line 903: Line 903:
  
   brew cask install smcfancontrol   brew cask install smcfancontrol
 +
 +====== GPG with remote forwarding ======
 +
 +GPG Agent forwarding allows a remote system to access secrets held in your local system via an SSH tunnel. When you are not connected to the remote system, it cannot access your secrets, and if the remote system is compromised your secrets are not (since they are never stored on it).
 +
 +My (initial) use-case is to allow docker on a remote host to store login my login credentials (so I can push/pull images when working), but not store secrets on that hose. THe default behaviour is to store my password in plain text, which is unacceptable.
 +
 +So I opted to use [[https://​docs.docker.com/​engine/​reference/​commandline/​login/#​credentials-store|docker credentials management]] and [[https://​www.passwordstore.org/​|pass]]. The ''​pass''​ tool uses GPG to encrypt and decrypt passwords. If I use GPG the traditional way (with secret keys in my $HOME directory) I've not gained any security: the encrypted password and and the decryption key are on the same host!
 +
 +So I want to use GPG agent forwarding to allow ''​pass''​ to decrypt secrets while I am connected and working, without the decryptions keys ever leaving my laptop.
 +
 +Overview (notes to follow, I hope):
 +
 +  - Install GPG locally and create an identity
 +  - Ensure that passphrase challenge ("​pinentry"​) does _not_ use the TTY, since the TTY at the remote won't match local - better to use a GUI or the OSX KeyChain
 +  - Install GPG on remote, and import public key
 +  - Configure SSH to forward agent socket
 +  - Disable systemd stuff which creates (unused) gpg sockets and/or configure SSHd to allow you to delete and recreate those sockets
 +
 +Gotchas to document:
 +
 +Invalid ioctl for device means the GPG agent was attempting to open a TTY. The agent lives on my MacBook, but the request comes from a remote system. So the remote system'​s GPG_TTY value is utterly useless on my MacBook, hence the error. Pinentry is the method by which the end-user (me) is prompted to enter a passphrase of the decryption key, the default is TTY, which doesn'​t work in this scenario. Using a GUI based one (line pinentry-mac) solves this, since the GUI always pops up on my Macbook.
 +
 +https://​www.binarybabel.org/​2017/​03/​10/​setting-up-pin-entry-for-gpg-under-macos/​
 +
 +  - ''​brew install gnupg gpg-agent pinentry-mac''​
 +  - Append to ''​~/​.profile'':​ <​code>​ if [ -f ~/​.gnupg/​.gpg-agent-info ] && [ -n "​$(pgrep gpg-agent)"​ ]; then
 +    source ~/​.gnupg/​.gpg-agent-info
 +    export GPG_AGENT_INFO
 +else
 +    eval $(gpg-agent --daemon --write-env-file ~/​.gnupg/​.gpg-agent-info)
 +fi</​code>​
 +  - Create/​modify the following GPG files:
 +    - ''​mkdir -p ~/​.gnupg''​
 +    - ''​~/​.gnupg/​gpg.conf'':<​code>​use-agent</​code>​
 +    - ''​~/​.gnupg/​gpg-agent.conf'':<​code>​ use-standard-socket
 +pinentry-program /​usr/​local/​bin/​pinentry-mac
 +default-cache-ttl 600
 +max-cache-ttl 7200</​code>​
 +
 +https://​superuser.com/​a/​1439824/​25945
 +
 +Testcase:
 +
 +<​code>​echo "​foo"​ | gpg --encrypt -r "​Robert Meerman"​ | gpg --decrypt</​code>​
  
osx/start.1551105764.txt.gz · Last modified: 2019/02/25 14:42 by robm