Loading GPG / SSH Keys from a USB Key, Round 2

简介: Back in January I talked about setting up some scripts to automatically load ssh/gpg keys into t...

Back in January I talked about setting up some scripts to automatically load ssh/gpg keys into the appropriate agents when you plugged in a UBS key. I had quite a number of people ask me for my scripts, but they just weren’t quite ready.

I’m still not entirely happy with the solution that I’ve come up with, but I figure its working well enough to get some feedback now.

It’s based very heavily on the usb-storage script originally written by Sean Finney, so I think that means I owe him Pizza now. However while its based on the usb-storage script it has changed in a few major ways:

  • Use udev rather than hotplug
  • Support GPG as well as SSH keys
  • Script no longer responsible for mounting partition

The mounting of the partition is the key change and I’m still tossing up whether the way I’m doing it is best or whether I should return to having it handled by the script. The primary reason for changing it was to allow the partition to be mounted in a stable location (as opposed to a random directory under /var/tmp) so that I could symlink from appropriate places in my home directory to the partition on the key.

The symlinking is needed to keep GPG happy as the gpg-agent seems to store only the passphrase and requires access to the private key whenever you need to sign/encrypt something. The way ssh-agent works is much nicer in this respect, in that once you’ve loaded a key into the agent it doesn’t need to refer to it on disk again.

Currently I’m using autofs to mount the partition as needed and this seems to be working well. It’s probably possible to go back to mounting the partition at a stable location from within the script without too much hassle.

You can grab the script from http://www.mattb.net.nz/debian/misc/manage-keys

The remaining details for my configuration are below:

First, setup udev to rename the key partitions to a static name and then fire the script at the appropriate times
/etc/udev/rules.d/usbkey.rules

ACTION=="add", KERNEL=="sd?2", SYSFS{serial}="A0494386139B005B", NAME="%k", SYMLINK="usbkeys", RUN+="/usr/local/bin/manage-keys"
ACTION=="remove", KERNEL=="sd?2", RUN+="/usr/local/bin/manage-keys"

Then setup autofs to mount the partition on demand
/etc/auto.master

/media/usb /etc/auto.usbkey --timeout=10

/etc/auto.usbkey

keys -fstype=ext3,ro,noatime,nosuid,nodev :/dev/usbkeys

I keep only id_dsa and secring.gpg on the key and symlink from the appropriate places in my homedir to /media/usb/keys/

matt@argon:~$ ls -l .ssh/
total 76
-rw------- 1 matt matt 612 2006-04-12 22:45 authorized_keys
-rw-r--r-- 1 matt matt 2694 2006-04-12 22:46 config
lrwxrwxrwx 1 matt matt 22 2006-04-13 01:08 id_dsa -> /media/usb/keys/id_dsa
-rw-r--r-- 1 matt matt 612 2006-04-12 22:46 id_dsa.pub
-rw-r--r-- 1 matt matt 58851 2006-04-12 23:10 known_hosts
matt@argon:~$ ls -l .gnupg/
total 2336
-rw-r--r-- 1 matt matt 126 2006-04-12 22:56 gpg.conf
drwx------ 2 matt matt 4096 2006-04-12 23:07 private-keys-v1.d
-rw------- 1 matt matt 1175737 2006-04-12 23:29 pubring.gpg
-rw------- 1 matt matt 600 2006-04-13 01:51 random_seed
lrwxrwxrwx 1 matt matt 27 2006-04-13 01:08 secring.gpg -> /media/usb/keys/secring.gpg
-rw------- 1 matt matt 10560 2006-04-12 23:27 trustdb.gpg

And that’s basically it. The script takes care of the rest.

The main problem I’m having with the script at the moment is that it doesn’t autolock the screen when you remove the key because gnome-screensaver-command is lacking the necessary environment variables to find the DBUS socket it needs to talk to its backend. Need to read up on DBUS/gnome-screensaver and sort out how to fix that tommorrow.

Update: Updated example udev config so it doesn’t run a script out of /home

目录
相关文章
|
11月前
|
Linux 网络安全 开发工具
百度搜索:蓝易云【Git安装 + 多站点SSH Key配置教程。】
现在,你已经成功安装了Git,并配置了多站点的SSH Key。你可以使用Git命令进行版本控制,并通过SSH Key进行身份验证来访问不同的Git仓库。
171 0
|
网络安全 开发工具 数据安全/隐私保护
解决 Enter passphrase for key ‘/Users/dzm/.ssh/id_rsa‘:
解决 Enter passphrase for key ‘/Users/dzm/.ssh/id_rsa‘:
1565 0
|
3月前
|
Linux 网络安全
|
4月前
|
安全 网络安全
jsch 报错 no matching host key type found. Their offer: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha> 如何处理
【5月更文挑战第24天】jsch 报错 no matching host key type found. Their offer: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha> 如何处理
214 1
|
4月前
|
算法 网络安全
Unable to negotiate with 127.0.0.1 port 29215: no matching host key type found. Their offer: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha> 解决
【5月更文挑战第5天】Unable to negotiate with 127.0.0.1 port 29215: no matching host key type found. Their offer: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha> 解决
193 7
|
4月前
|
弹性计算 运维 Shell
基于key验证多主机ssh访问
【4月更文挑战第30天】
57 1
|
4月前
|
安全 网络安全
jsch 报错 no matching host key type found. Their offer: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha>问题处理方法
【5月更文挑战第10天】jsch 报错 no matching host key type found. Their offer: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha>问题处理方法
240 0
|
4月前
|
算法 网络安全
no matching host key type found. Their offer: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha> 问题解决
【5月更文挑战第8天】no matching host key type found. Their offer: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha> 问题解决
292 0
|
4月前
|
存储 弹性计算 算法
SSH学习(三)- SSH协议中的Public Key Algorithm
在SSH协议中,有两个地方涉及到公钥算法,分别是: 1. 服务端认证:服务端在进行密钥协商的时候证明自己身份,防止中间人攻击,此时为SSH-TRANS协议发生的事情; 2. 客户端认证:客户端通过PublicKey方式证明自己身份,完成SSH登录认证,此时SSH-USERAUTH发生的事情; 这两种情况下的公钥算法使用的是同一个概念,接下来本文将主要基于PublicKey公钥认证方式,学习对应的内容。
271 1
SSH学习(三)- SSH协议中的Public Key Algorithm
|
4月前
|
Shell 网络安全 开发工具
GitLab创建项目的时候需要SSH Keys
GitLab创建项目的时候需要SSH Keys
27 0