GPGTools+SSH+Yubikey+MacOS中文教程

## GPGTools
### 安装GPGTools

Mac用户在GPGTools官网下载，这是一款GUI的GPG管理软件，也会自动装上`gpg-agent`无需另行下载

### Yubikey
1. 安装Yubikey管理软件

```
  $ brew install yubikey-personalization
  ```

2. 插入Yubikey
3. 设置Yubikey为`OTP and OpenPGP`模式

```
  $ ykpersonalize -m82
  ```

4. 重新设置Yubikey的PIN码（Admin PIN和PIN初始都为`123456`）

按照下列指令输入
    
    ```
    $ gpg --card-edit
    <省略中间Yubikey信息>
    
    gpg/card> admin
    Admin commands are allowed
    
    gpg/card> passwd
    1 - change PIN
    2 - unblock PIN
    3 - change Admin PIN
    4 - set the Reset Code
    Q - quit
    Your selection? 3
    ```
    输入完成后会弹出GUI要求输入初始Admin PIN，这个时候输入`123456`，然后要求你输入新的Admin PIN。
    
    修改Admin PIN完成后显示以下回显，选择<kbd>1</kbd>
    ```
    PIN changed.
    
    1 - change PIN
    2 - unblock PIN
    3 - change Admin PIN
    4 - set the Reset Code
    Q - quit
    
    Your selection? 1
    ```
    输入完成后会弹出GUI要求输入初始PIN，这个时候输入`123456`，然后要求你输入新的PIN。
    ```
    PIN changed.
    
    1 - change PIN
    2 - unblock PIN
    3 - change Admin PIN
    4 - set the Reset Code
    Q - quit
    
    Your selection? q 
    ```

## Generate keys
1. 生成公私钥
    ```
    $ gpg --card-edit
    gpg/card> admin
    gpg/card> generate
    Make off-card backup of encryption key? (Y/n) Y
    
    <输入Admin PIN>
    <输入PIN>
    
    Please specify how long the key should be valid.
             0 = key does not expire
               = key expires in n days
             w = key expires in n weeks
             m = key expires in n months
             y = key expires in n years
    Key is valid for? (0) 1y <密钥有效期一年>
    <省略密钥信息>
    Is this correct? (y/N) y
    
    You need a user ID to identify your key; the software constructs the user ID
    from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
    
    Real name: <随意写就好>
    Email address: <邮箱>
    Comment: <可选>
    You selected this USER-ID:
    <接下来需要花几分钟生成keys>
    
    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
    gpg: generating new key
    gpg: please wait while key is being generated ...
    gpg: key generation completed (45 seconds)
    gpg: signatures created so far: 0
    gpg: signatures created so far: 0
    You need a Passphrase to protect your secret key.
    <弹出GUI要求输入密码保护secret key>
    
    
    gpg: signatures created so far: 2
    gpg: signatures created so far: 2
    gpg: generating new key
    gpg: please wait while key is being generated ...
    gpg: key generation completed (25 seconds)
    gpg: signatures created so far: 4
    gpg: signatures created so far: 4
    gpg: key  marked as ultimately trusted
    public and secret key created and signed.
    gpg: checking the trustdb
    gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
    gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
    pub   2048R/79C56617 2015-08-25
    Key fingerprint = ...
    uid   ...
    sub   2048R/... ...
    sub   2048R/... ...
    </heinrichh@duesseldorf.de>
   ```

2. 导出公钥
  ```
  gpg --armor --export <user-id> > ~/my_gpg_public_key.pub
  ```

3. 运行安装好的GPG Keychain，并且在该公钥右键选择`Generate Revoke Certificate`，如果你弄丢了Yubikey，就需要这个来撤销
4. 右键该公钥选择`Send public key to Keyserver`

## gpg-agent config
1. 配置`gpg-agent.conf`
    ```
    $ vim ~/.gnupg/gpg-agent.conf
    ```
    接下来复制粘贴以下内容
    ```
    pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
    default-cache-ttl 600
    max-cache-ttl 7200
    enable-ssh-support
    ```

2. 配置`gpg-agent`自启
    ```
    $ vim ~/.bash_profile
    #根据shell的不同自己选择配置文件
    ```

在末尾添加
    
    ```
    GPG_TTY=$(tty)
export GPG_TTY
if [ -f "${HOME}/.gpg-agent-info" ]; then
      . "${HOME}/.gpg-agent-info"
      export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
    fi
    
    RESULT=`pgrep -x "gpg-agent"`
    #echo ${RESULT};
if [ "${RESULT}" > /dev/null ]; then
    else
        eval $(gpg-agent --daemon --enable-ssh-support)
    fi
    ```
    
    它的作用是先告诉ssh我要用`gpg-agent`，再看看`gpg-agent`是否在运行，如果没有，就运行`gpg-agent`

## ssh config
1. 导出公钥成ssh可理解的形式
  ```
  $ gpg --export-ssh-key <user-id> > ~/ssh_public_key.pub
  ```

2. 上传公钥到要登录的服务器
  ```
  $ scp -P 22 ~/ssh_public_key.pub <用户名>@:~/
  ```

3. 登录服务器，将上传的公钥放在.ssh目录下并更名，赋予权限
    ```
    <登录步骤省略>
    
    $ mv ~/ssh_public_key.pub ~/.ssh/authorized_keys
    $ chmod 600 ~/.ssh/authorized_keys
    $ chmod 700 ~/.ssh
    ```

4. 修改ssh配置文件
    ```
    $ vim /etc/ssh/sshd_config
    ```

然后找到`RSAAuthentication`和`PubkeyAuthentication`，去掉注释，并把后面跟随值改为`yes`，如果没有这一项则手动添加
    ```
    RSAAuthentication yes
    PubkeyAuthentication yes
    ```
    
    最后重启sshd服务
    ```
    $ service sshd restart
    ```
    
    当你使用密钥登录后，可以去`sshd_config`文件把`PasswordAuthentication`值设置为`no`
    
    现在你每次登录都需要插入Yubikey，并且会弹出GUI让你输入PIN码，如果输入正确，会有一段时间的cache保证下次登录不需要输入PIN。

技术手札

Navigation

Recent Posts

Friend Links