SSH authentication with GnuPG and smart cards

Most system administrators know how to use key-based authentication with SSH. Some of the more obvious benefits include agent forwarding (i.e. being able to use your SSH key on a remote system) and not having to remember passwords. There are, however, a few issues with having your SSH key on a general-purpose computer: Malware can obtain an unencrypted copy of your private SSH key fairly easily. Also, while migrating your key to another system is fairly easy it’s virtually impossible to securely use your SSH key on another untrusted system (e.g. at a customer).

This is where smart cards come in. A smart card stores certificates (such as your SSH key) and provides functionality for operating on those certificates (e.g. using their private key to sign or decrypt data). Smart cards come in various form factors: credit cards, SIM cards, etc. – which commonly require a separate card reader in order to be usable. However, there are also USB devices which implement all the usual smart card features in addition to other security features (e.g. requiring the user to press a key on the device before an authentication request is signed).

One such device is the Yubikey 4 which I’m personally using for SSH authentication.

The first step towards using a new Yubikey for SSH authentication is enabling the OpenPGP applet on it:

$ ykpersonalize -m82

I already had a PGP key, however in order to use it for authentication I had to create an additional subkey for the key usage type “authentication”. Here’s how that can be done:

$ gpg --edit-key --expert info@example.org
gpg (GnuPG) 2.1.23; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec rsa2048/42330DF1CA650A40
created: 2017-08-24 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/56D8D1BBE7E720DB
created: 2017-08-24 expires: never usage: E
[ultimate] (1). NETWAYS Blog <info@example.org>

gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? a

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec rsa2048/42330DF1CA650A40
created: 2017-08-24 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/56D8D1BBE7E720DB
created: 2017-08-24 expires: never usage: E
ssb rsa2048/5F43E49ED794BDEF
created: 2017-08-24 expires: never usage: A
[ultimate] (1). NETWAYS Blog <info@example.org>

gpg> save

Now that we’ve created a new subkey we can move its private key part to the smart card:

$ gpg --edit-key --expert info@example.org
gpg (GnuPG) 2.1.23; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec rsa2048/42330DF1CA650A40
created: 2017-08-24 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/56D8D1BBE7E720DB
created: 2017-08-24 expires: never usage: E
ssb rsa2048/5F43E49ED794BDEF
created: 2017-08-24 expires: never usage: A
[ultimate] (1). NETWAYS Blog <info@example.org>

gpg> toggle

sec rsa2048/42330DF1CA650A40
created: 2017-08-24 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/56D8D1BBE7E720DB
created: 2017-08-24 expires: never usage: E
ssb rsa2048/5F43E49ED794BDEF
created: 2017-08-24 expires: never usage: A
[ultimate] (1). NETWAYS Blog <info@example.org>

gpg> key 2

sec rsa2048/42330DF1CA650A40
created: 2017-08-24 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/56D8D1BBE7E720DB
created: 2017-08-24 expires: never usage: E
ssb* rsa2048/5F43E49ED794BDEF
created: 2017-08-24 expires: never usage: A
[ultimate] (1). NETWAYS Blog <info@example.org>

gpg> keytocard
Please select where to store the key:
(3) Authentication key
Your selection? 3
gpg> quit
Save changes? (y/N) y

The Yubikey 4 has three key slots which can be used for storing RSA keys with up to 4096 bits each. This might be an excellent opportunity to also move your signing and encryption key to your smart card – assuming you have an encrypted backup somewhere in case you lose access to your Yubikey.

The last step involves replacing ssh-agent with gpg-agent. This allows your SSH client to use your PGP certificates (including the authentication subkey we just created). In addition to that gpg-agent also supports regular SSH keys which might be useful if you have more than one SSH key and only plan to migrate one of them to your Yubikey:

I had to add the following snippet to my .profile file to start gpg-agent instead of ssh-agent:

[ -f ~/.gpg-agent-info ] && source ~/.gpg-agent-info
if [ -S "${GPG_AGENT_INFO%%:*}" ]; then
  export GPG_AGENT_INFO
  export SSH_AUTH_SOCK
  export SSH_AGENT_PID
else
  eval $(gpg-agent --daemon --write-env-file ~/.gpg-agent-info)
fi

And here’s OpenSSH prompting me for my smart card and PIN:

And that’s how you can literally put your PGP key on your keychain. ­čÖé

Gunnar Beutner

Autor: Gunnar Beutner

Vor seinem Eintritt bei NETWAYS arbeitete Gunnar bei einem gro├čen deutschen Hostingprovider, wo er bereits viel Erfahrung in der Softwareentwicklung f├╝r das Servermanagement sammeln konnte. Bei uns k├╝mmert er sich vor allem um verschiedene Kundenprojekte, aber auch eigene Tools wie inGraph oder Icinga2.

Tracking tasks with Todoist

As the name suggests Todoist is an app for tracking todos. I’ve been using it for the past couple of months during which it has become a daily companion in my quest for getting things done without forgetting half of my stuff (which – if you know me – is a common occurrence).

The basic feature set is quite straight-forward: The app lets you create tasks which by default end up in the “Inbox”. Todoist has native apps for macOS, Windows, iOS and Android. There’s also a web client in case you need to update your tasks on-the-go. For me personally the integration with Amazon Echo is particularly useful. Adding a new task is as simple as saying “Alexa, add a task…”.

Once you’ve created a task you can decide to assign your tasks to a project (e.g. “Work”, “Personal”, etc.) either right away or later on when you have a few minutes to spare. Each task can also be tagged to make it easier to find groups of specific tasks. For example I have two tags “LowEnergy” and “HighEnergy” so I can later on find all tasks which are either easy or hard to do. Tasks can be set to re-occur at specific intervals which range in complexity from “daily” to “every last friday”.

The mobile app supports location-based reminders. I have a recurring task “Get cash from the ATM” which the app dutifully reminds me about when I pass the ATM on my way to work.

I wouldn’t go so far as to put Todoist in the “life saver” category, however it has definitely become an integral part of my daily workflow. Consider giving it a try… even though unfortunately it isn’t entirely free.

 

 

Gunnar Beutner

Autor: Gunnar Beutner

Vor seinem Eintritt bei NETWAYS arbeitete Gunnar bei einem gro├čen deutschen Hostingprovider, wo er bereits viel Erfahrung in der Softwareentwicklung f├╝r das Servermanagement sammeln konnte. Bei uns k├╝mmert er sich vor allem um verschiedene Kundenprojekte, aber auch eigene Tools wie inGraph oder Icinga2.

Meine eigene TouchBar auf dem MacBook mit BetterTouchTool

Viele Anwendungen unterst├╝tzen leider noch nicht die TouchBar beim neuen MacBook Pro. Einige der “Schuldigen” sind etwa Chrome, Radiant Player, Franz (ein Frontend f├╝r WhatsApp und andere Messaging-Apps). Zum Gl├╝ck gibt es aber BetterTouchTool, mit dessen Hilfe man sich eigene Buttons auf die TouchBar konfigurieren kann:

Leider ist sie dabei nicht kostenlos, aber bei meinen bisherigen Tests hat sie sich schonmal als sehr hilfreich erwiesen. Und so sieht das Beispiel oben dann auf der TouchBar aus:

BetterTouchTool kann dabei noch etliches mehr, beispielsweise:

  • Lautst├Ąrke, Bildschirmhelligkeit, u.├Ą. regeln
  • Benutzerdefinierte Scripts ausf├╝hren und deren Ergebnisse (als Text) auf der TouchBar anzeigen (z.B. aktueller Song)
  • Eigene Gesten auf dem TrackPad erkennen

 

 

Gunnar Beutner

Autor: Gunnar Beutner

Vor seinem Eintritt bei NETWAYS arbeitete Gunnar bei einem gro├čen deutschen Hostingprovider, wo er bereits viel Erfahrung in der Softwareentwicklung f├╝r das Servermanagement sammeln konnte. Bei uns k├╝mmert er sich vor allem um verschiedene Kundenprojekte, aber auch eigene Tools wie inGraph oder Icinga2.

Location-Aware Settings With ControlPlane

Part of my “arriving at the office in the morning” ritual involves quitting all my personal applications (e.g. Sonos), re-enabling my work e-mail account and a whole slew of other tiny changes that differentiate my work environment from my home environment. While in itself this isn’t too much of a hassle it does get rather tedious after a while. Especially so if I forget to start certain apps like my Jabber client and don’t realize that until much later.

The ControlPlane application promises to solve this exact problem by running specific actions whenever it detects a location change.

In order to do this you first have to set up “contexts”: These are essentially the locations you want ControlPlane to be aware of. As a starting point I’ve created two contexts “Home” and “Work” for my most-frequently used locations:

The next step involves telling ControlPlane what kind of information it should use to determine where you are. ControlPlane supports a wide variety of so-called evidence sources for this, some of which include:

  • IP address range, nearby WiFi networks
  • Attached devices (screens, USB and bluetooth devices)
  • Bonjour services (e.g. AppleTV)

Once you’ve made up your mind about┬áwhich evidence sources to use┬áyou need to actually configure rules for these sources. An example would be “If my laptop can see the WiFi network ‘netways’ I’m in the ‘Work’ environment.” You also get to choose a confidence rating for each of those rules. This is useful if some of your rules could potentially also match in other, unrelated environments – for example because the IP address range you’re using at work is also commonly used by other companies.

Once you’re sufficiently confident that your location detection rules are working reliably┬áyou can set up actions which ControlPlane automatically performs whenever you enter or leave a┬ácertain location:

For my personal use I’ve found the built-in library of actions to be quite useful. However, there are a few things that even ControlPlane doesn’t support out of the box – like disabling specific e-mail and Jabber accounts. Luckily it does let you can run arbitrary external applications, including ones you’ve built with macOS’s Script Editor application:

Gunnar Beutner

Autor: Gunnar Beutner

Vor seinem Eintritt bei NETWAYS arbeitete Gunnar bei einem gro├čen deutschen Hostingprovider, wo er bereits viel Erfahrung in der Softwareentwicklung f├╝r das Servermanagement sammeln konnte. Bei uns k├╝mmert er sich vor allem um verschiedene Kundenprojekte, aber auch eigene Tools wie inGraph oder Icinga2.

Home Automation mit Home Assistant

Ich bin vor wenigen Wochen nach N├╝rnberg umgezogen, um mir die t├Ągliche Zugfahrt von Ansbach her sparen zu k├Ânnen. Aber anstatt wie jeder andere vern├╝nftige Mensch darauf zu schauen, dass M├Âbel in der Wohnung stehen, habe ich erstmal ein komplettes Wochenende damit verbracht, die Technik meines neuen Zuhauses soweit wie m├Âglich zu automatisieren.

Seitdem mir ein Kollege (hallo Bernd!) schon vor einer ganzen Weile Home Assistant ans Herz gelegt hat, wollte ich dies ausprobieren, habe allerdings nie wirklich Zeit daf├╝r gefunden. Beim Scrollen ├╝ber 500 unterschiedliche Esszimmertische auf Amazon ├Ąndern sich aber die pers├Ânlichen Priorit├Ąten ganz schlagartig und ich brauchte eine Abwechslung.┬áAls Erstes habe ich mir in meinem pers├Ânlichen Datacenter (andere w├╝rden es als Abstellkammer bezeichnen) einen Linux-Container eingerichtet:

Als Hardware habe ich mir f├╝r das Projekt folgende Komponenten ausgesucht:

  • Philips Hue Color (E27, dimmbar, bunt, toll)
  • Philips Motion Detector (um die Lampen im Flur und Bad ansteuern zu k├Ânnen)
  • Sonos PLAY:3 (in der K├╝che und auf meinem Schreibtisch), PLAY:5 (im Wohnzimmer)
  • eQ-3 S 300 TH (Temperatur- und Feuchtigkeitssensor; inzwischen nicht mehr erh├Ąltlich, aber┬áhatte ich zuf├Ąlligerweise aus einem anderen Projekt ├╝brig)
  • iPhone (dient zur Erkennung, ob ich zu Hause bin)
  • GAMMA-SCOUT Geigerz├Ąhler (braucht man unbedingt)

Und so sieht das ganze dann aus (inkl. strukturierter Verkabelung):

Ich werde hier niemanden mit der Config-Datei von Home Assistant langweilen, deswegen m├╝sst ihr mir einfach glauben, wenn ich behaupte, dass es ein Kinderspiel ist, die einzelnen Hardware-Bausteine so darin zu integrieren, dass es ein sinnvolles Ganzes ergibt.

Besonders cool sind bei Home Assistant die M├Âglichkeiten, auf Events zu reagieren. So kann man beispielsweise abh├Ąngig vom Sonnenstand die Beleuchtung aktivieren bzw. deaktivieren. Meine Wohnung ist nun so eingestellt, dass automatisch alle Ger├Ąte ausgeschaltet werden, sobald ich das Haus verlasse. Wenn ich mich auf dem Weg nach Hause befinde, werden sie wieder eingeschaltet – kurz bevor ich tats├Ąchlich an der Wohnungst├╝r stehe. Dies funktioniert dadurch, dass Home Assistant ├╝ber “Find my iPhone” wei├č, wo ich mich gerade befinde.

Nat├╝rlich gibt es dazu auch ein tolles Webinterface, ├╝ber das man diese Aktionen steuern kann:

Zus├Ątzliche habe ich mir von Happy Bubbles Bluetooth-Beacon-Detektoren bestellt, die hoffentlich im Laufe der n├Ąchsten Tage hier eintreffen werden. Danach sollte Home Assistant in der Lage sein, zu erkennen, in welchem Zimmer ich mich aktuell befinde.

Fazit: Nichts zu Essen im Haus – au├čer Joylent, aber die Beleuchtung l├Ąsst sich bis ins letzte Detail steuern. ­čÖé

├ťbrigens haben wir in unserem Shop┬áauch Hardware, die sich in eigene Home Automation-Projekte integrieren lie├če.

Gunnar Beutner

Autor: Gunnar Beutner

Vor seinem Eintritt bei NETWAYS arbeitete Gunnar bei einem gro├čen deutschen Hostingprovider, wo er bereits viel Erfahrung in der Softwareentwicklung f├╝r das Servermanagement sammeln konnte. Bei uns k├╝mmert er sich vor allem um verschiedene Kundenprojekte, aber auch eigene Tools wie inGraph oder Icinga2.