GPGTools+SSH+Yubikey+MacOS中文教程
2021-04-29 12:38:47    723    0    0
admin

GPGTools

安装GPGTools

Mac用户在GPGTools官网下载,这是一款GUI的GPG管理软件,也会自动装上gpg-agent无需另行下载

Yubikey

  1. 安装Yubikey管理软件

    1. $ brew install yubikey-personalization
  2. 插入Yubikey

  3. 设置Yubikey为OTP and OpenPGP模式

    1. $ ykpersonalize -m82
  4. 重新设置Yubikey的PIN码(Admin PIN和PIN初始都为123456

    按照下列指令输入

    1. $ gpg --card-edit
    2. <省略中间Yubikey信息>
    3. gpg/card> admin
    4. Admin commands are allowed
    5. gpg/card> passwd
    6. 1 - change PIN
    7. 2 - unblock PIN
    8. 3 - change Admin PIN
    9. 4 - set the Reset Code
    10. Q - quit
    11. Your selection? 3

    输入完成后会弹出GUI要求输入初始Admin PIN,这个时候输入123456,然后要求你输入新的Admin PIN。

    修改Admin PIN完成后显示以下回显,选择1

    1. PIN changed.
    2. 1 - change PIN
    3. 2 - unblock PIN
    4. 3 - change Admin PIN
    5. 4 - set the Reset Code
    6. Q - quit
    7. Your selection? 1

    输入完成后会弹出GUI要求输入初始PIN,这个时候输入123456,然后要求你输入新的PIN。

    1. PIN changed.
    2. 1 - change PIN
    3. 2 - unblock PIN
    4. 3 - change Admin PIN
    5. 4 - set the Reset Code
    6. Q - quit
    7. Your selection? q

Generate keys

  1. 生成公私钥

    1. $ gpg --card-edit
    2. gpg/card> admin
    3. gpg/card> generate
    4. Make off-card backup of encryption key? (Y/n) Y
    5. <输入Admin PIN>
    6. <输入PIN>
    7. Please specify how long the key should be valid.
    8. 0 = key does not expire
    9. = key expires in n days
    10. w = key expires in n weeks
    11. m = key expires in n months
    12. y = key expires in n years
    13. Key is valid for? (0) 1y <密钥有效期一年>
    14. <省略密钥信息>
    15. Is this correct? (y/N) y
    16. You need a user ID to identify your key; the software constructs the user ID
    17. from the Real Name, Comment and Email Address in this form:
    18. "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
    19. Real name: <随意写就好>
    20. Email address: <邮箱>
    21. Comment: <可选>
    22. You selected this USER-ID:
    23. <接下来需要花几分钟生成keys>
    24. Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
    25. gpg: generating new key
    26. gpg: please wait while key is being generated ...
    27. gpg: key generation completed (45 seconds)
    28. gpg: signatures created so far: 0
    29. gpg: signatures created so far: 0
    30. You need a Passphrase to protect your secret key.
    31. <弹出GUI要求输入密码保护secret key>
    32. gpg: signatures created so far: 2
    33. gpg: signatures created so far: 2
    34. gpg: generating new key
    35. gpg: please wait while key is being generated ...
    36. gpg: key generation completed (25 seconds)
    37. gpg: signatures created so far: 4
    38. gpg: signatures created so far: 4
    39. gpg: key marked as ultimately trusted
    40. public and secret key created and signed.
    41. gpg: checking the trustdb
    42. gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
    43. gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
    44. pub 2048R/79C56617 2015-08-25
    45. Key fingerprint = ...
    46. uid ...
    47. sub 2048R/... ...
    48. sub 2048R/... ...
    49. </heinrichh@duesseldorf.de>
  2. 导出公钥

    1. gpg --armor --export <user-id> > ~/my_gpg_public_key.pub
  3. 运行安装好的GPG Keychain,并且在该公钥右键选择Generate Revoke Certificate,如果你弄丢了Yubikey,就需要这个来撤销

  4. 右键该公钥选择Send public key to Keyserver

gpg-agent config

  1. 配置gpg-agent.conf

    1. $ vim ~/.gnupg/gpg-agent.conf

    接下来复制粘贴以下内容

    1. pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
    2. default-cache-ttl 600
    3. max-cache-ttl 7200
    4. enable-ssh-support
  2. 配置gpg-agent自启

    1. $ vim ~/.bash_profile
    2. #根据shell的不同自己选择配置文件

    在末尾添加

    1. GPG_TTY=$(tty)
    2. export GPG_TTY
    3. if [ -f "${HOME}/.gpg-agent-info" ]; then
    4. . "${HOME}/.gpg-agent-info"
    5. export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
    6. fi
    7. RESULT=`pgrep -x "gpg-agent"`
    8. #echo ${RESULT};
    9. if [ "${RESULT}" > /dev/null ]; then
    10. else
    11. eval $(gpg-agent --daemon --enable-ssh-support)
    12. fi

    它的作用是先告诉ssh我要用gpg-agent,再看看gpg-agent是否在运行,如果没有,就运行gpg-agent

ssh config

  1. 导出公钥成ssh可理解的形式

    1. $ gpg --export-ssh-key <user-id> > ~/ssh_public_key.pub
  2. 上传公钥到要登录的服务器

    1. $ scp -P 22 ~/ssh_public_key.pub <用户名>@:~/
  3. 登录服务器,将上传的公钥放在.ssh目录下并更名,赋予权限

    1. <登录步骤省略>
    2. $ mv ~/ssh_public_key.pub ~/.ssh/authorized_keys
    3. $ chmod 600 ~/.ssh/authorized_keys
    4. $ chmod 700 ~/.ssh
  4. 修改ssh配置文件

    1. $ vim /etc/ssh/sshd_config

    然后找到RSAAuthenticationPubkeyAuthentication,去掉注释,并把后面跟随值改为yes,如果没有这一项则手动添加

    1. RSAAuthentication yes
    2. PubkeyAuthentication yes

    最后重启sshd服务

    1. $ service sshd restart

    当你使用密钥登录后,可以去sshd_config文件把PasswordAuthentication值设置为no

    现在你每次登录都需要插入Yubikey,并且会弹出GUI让你输入PIN码,如果输入正确,会有一段时间的cache保证下次登录不需要输入PIN。

Prev: Ubuntu 升级openssl到1.1.1k

Next: docker更新portainer-ce2.0

723
Table of content