admin
GPGTools
安装GPGTools
Mac用户在GPGTools官网下载,这是一款GUI的GPG管理软件,也会自动装上gpg-agent无需另行下载
Yubikey
安装Yubikey管理软件
$ brew install yubikey-personalization
插入Yubikey
设置Yubikey为
OTP and OpenPGP模式$ ykpersonalize -m82
重新设置Yubikey的PIN码(Admin PIN和PIN初始都为
123456)按照下列指令输入
$ gpg --card-edit<省略中间Yubikey信息>gpg/card> adminAdmin commands are allowedgpg/card> passwd1 - change PIN2 - unblock PIN3 - change Admin PIN4 - set the Reset CodeQ - quitYour selection? 3
输入完成后会弹出GUI要求输入初始Admin PIN,这个时候输入
123456,然后要求你输入新的Admin PIN。修改Admin PIN完成后显示以下回显,选择1
PIN changed.1 - change PIN2 - unblock PIN3 - change Admin PIN4 - set the Reset CodeQ - quitYour selection? 1
输入完成后会弹出GUI要求输入初始PIN,这个时候输入
123456,然后要求你输入新的PIN。PIN changed.1 - change PIN2 - unblock PIN3 - change Admin PIN4 - set the Reset CodeQ - quitYour selection? q
Generate keys
生成公私钥
$ gpg --card-editgpg/card> admingpg/card> generateMake off-card backup of encryption key? (Y/n) Y<输入Admin PIN><输入PIN>Please specify how long the key should be valid.0 = key does not expire= key expires in n daysw = key expires in n weeksm = key expires in n monthsy = key expires in n yearsKey is valid for? (0) 1y <密钥有效期一年><省略密钥信息>Is this correct? (y/N) yYou need a user ID to identify your key; the software constructs the user IDfrom the Real Name, Comment and Email Address in this form:"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"Real name: <随意写就好>Email address: <邮箱>Comment: <可选>You selected this USER-ID:<接下来需要花几分钟生成keys>Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? Ogpg: generating new keygpg: please wait while key is being generated ...gpg: key generation completed (45 seconds)gpg: signatures created so far: 0gpg: signatures created so far: 0You need a Passphrase to protect your secret key.<弹出GUI要求输入密码保护secret key>gpg: signatures created so far: 2gpg: signatures created so far: 2gpg: generating new keygpg: please wait while key is being generated ...gpg: key generation completed (25 seconds)gpg: signatures created so far: 4gpg: signatures created so far: 4gpg: key marked as ultimately trustedpublic and secret key created and signed.gpg: checking the trustdbgpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust modelgpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1upub 2048R/79C56617 2015-08-25Key fingerprint = ...uid ...sub 2048R/... ...sub 2048R/... ...</heinrichh@duesseldorf.de>
导出公钥
gpg --armor --export <user-id> > ~/my_gpg_public_key.pub
运行安装好的GPG Keychain,并且在该公钥右键选择
Generate Revoke Certificate,如果你弄丢了Yubikey,就需要这个来撤销- 右键该公钥选择
Send public key to Keyserver
gpg-agent config
配置
gpg-agent.conf$ vim ~/.gnupg/gpg-agent.conf
接下来复制粘贴以下内容
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-macdefault-cache-ttl 600max-cache-ttl 7200enable-ssh-support
配置
gpg-agent自启$ vim ~/.bash_profile#根据shell的不同自己选择配置文件
在末尾添加
GPG_TTY=$(tty)export GPG_TTYif [ -f "${HOME}/.gpg-agent-info" ]; then. "${HOME}/.gpg-agent-info"export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.sshfiRESULT=`pgrep -x "gpg-agent"`#echo ${RESULT};if [ "${RESULT}" > /dev/null ]; thenelseeval $(gpg-agent --daemon --enable-ssh-support)fi
它的作用是先告诉ssh我要用
gpg-agent,再看看gpg-agent是否在运行,如果没有,就运行gpg-agent
ssh config
导出公钥成ssh可理解的形式
$ gpg --export-ssh-key <user-id> > ~/ssh_public_key.pub
上传公钥到要登录的服务器
$ scp -P 22 ~/ssh_public_key.pub <用户名>@:~/
登录服务器,将上传的公钥放在.ssh目录下并更名,赋予权限
<登录步骤省略>$ mv ~/ssh_public_key.pub ~/.ssh/authorized_keys$ chmod 600 ~/.ssh/authorized_keys$ chmod 700 ~/.ssh
修改ssh配置文件
$ vim /etc/ssh/sshd_config
然后找到
RSAAuthentication和PubkeyAuthentication,去掉注释,并把后面跟随值改为yes,如果没有这一项则手动添加RSAAuthentication yesPubkeyAuthentication yes
最后重启sshd服务
$ service sshd restart
当你使用密钥登录后,可以去
sshd_config文件把PasswordAuthentication值设置为no现在你每次登录都需要插入Yubikey,并且会弹出GUI让你输入PIN码,如果输入正确,会有一段时间的cache保证下次登录不需要输入PIN。