GPGTools
安装GPGTools
Mac用户在GPGTools官网下载,这是一款GUI的GPG管理软件,也会自动装上gpg-agent
无需另行下载
Yubikey
安装Yubikey管理软件
$ brew install yubikey-personalization
插入Yubikey
设置Yubikey为
OTP and OpenPGP
模式$ ykpersonalize -m82
重新设置Yubikey的PIN码(Admin PIN和PIN初始都为
123456
)按照下列指令输入
$ gpg --card-edit
<省略中间Yubikey信息>
gpg/card> admin
Admin commands are allowed
gpg/card> passwd
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 3
输入完成后会弹出GUI要求输入初始Admin PIN,这个时候输入
123456
,然后要求你输入新的Admin PIN。修改Admin PIN完成后显示以下回显,选择1
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 1
输入完成后会弹出GUI要求输入初始PIN,这个时候输入
123456
,然后要求你输入新的PIN。PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? q
Generate keys
生成公私钥
$ gpg --card-edit
gpg/card> admin
gpg/card> generate
Make off-card backup of encryption key? (Y/n) Y
<输入Admin PIN>
<输入PIN>
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y <密钥有效期一年>
<省略密钥信息>
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: <随意写就好>
Email address: <邮箱>
Comment: <可选>
You selected this USER-ID:
<接下来需要花几分钟生成keys>
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (45 seconds)
gpg: signatures created so far: 0
gpg: signatures created so far: 0
You need a Passphrase to protect your secret key.
<弹出GUI要求输入密码保护secret key>
gpg: signatures created so far: 2
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (25 seconds)
gpg: signatures created so far: 4
gpg: signatures created so far: 4
gpg: key marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/79C56617 2015-08-25
Key fingerprint = ...
uid ...
sub 2048R/... ...
sub 2048R/... ...
</heinrichh@duesseldorf.de>
导出公钥
gpg --armor --export <user-id> > ~/my_gpg_public_key.pub
运行安装好的GPG Keychain,并且在该公钥右键选择
Generate Revoke Certificate
,如果你弄丢了Yubikey,就需要这个来撤销- 右键该公钥选择
Send public key to Keyserver
gpg-agent config
配置
gpg-agent.conf
$ vim ~/.gnupg/gpg-agent.conf
接下来复制粘贴以下内容
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200
enable-ssh-support
配置
gpg-agent
自启$ vim ~/.bash_profile
#根据shell的不同自己选择配置文件
在末尾添加
GPG_TTY=$(tty)
export GPG_TTY
if [ -f "${HOME}/.gpg-agent-info" ]; then
. "${HOME}/.gpg-agent-info"
export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
fi
RESULT=`pgrep -x "gpg-agent"`
#echo ${RESULT};
if [ "${RESULT}" > /dev/null ]; then
else
eval $(gpg-agent --daemon --enable-ssh-support)
fi
它的作用是先告诉ssh我要用
gpg-agent
,再看看gpg-agent
是否在运行,如果没有,就运行gpg-agent
ssh config
导出公钥成ssh可理解的形式
$ gpg --export-ssh-key <user-id> > ~/ssh_public_key.pub
上传公钥到要登录的服务器
$ scp -P 22 ~/ssh_public_key.pub <用户名>@:~/
登录服务器,将上传的公钥放在.ssh目录下并更名,赋予权限
<登录步骤省略>
$ mv ~/ssh_public_key.pub ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
$ chmod 700 ~/.ssh
修改ssh配置文件
$ vim /etc/ssh/sshd_config
然后找到
RSAAuthentication
和PubkeyAuthentication
,去掉注释,并把后面跟随值改为yes
,如果没有这一项则手动添加RSAAuthentication yes
PubkeyAuthentication yes
最后重启sshd服务
$ service sshd restart
当你使用密钥登录后,可以去
sshd_config
文件把PasswordAuthentication
值设置为no
现在你每次登录都需要插入Yubikey,并且会弹出GUI让你输入PIN码,如果输入正确,会有一段时间的cache保证下次登录不需要输入PIN。