Loading GPG / SSH Keys from a USB Key, Round 2
2010-09-27 14:07
204 查看
Back in January I talked about setting up some scripts to automatically load ssh/gpg keys into the appropriate agents when you plugged in a UBS key. I had quite a number of people ask me for my scripts, but they just weren’t quite ready.
I’m still not entirely happy with the solution that I’ve come up with, but I figure its working well enough to get some feedback now.
It’s based very heavily on the usb-storage script originally written by Sean Finney, so I think that means I owe him Pizza now. However while its based on the usb-storage script it has changed in a few major ways:
Use udev rather than hotplug
Support GPG as well as SSH keys
Script no longer responsible for mounting partition
The mounting of the partition is the key change and I’m still tossing up whether the way I’m doing it is best or whether I should return to having it handled by the script. The primary reason for changing it was to allow the partition to be mounted in a stable location (as opposed to a random directory under /var/tmp) so that I could symlink from appropriate places in my home directory to the partition on the key.
The symlinking is needed to keep GPG happy as the gpg-agent seems to store only the passphrase and requires access to the private key whenever you need to sign/encrypt something. The way ssh-agent works is much nicer in this respect, in that once you’ve loaded a key into the agent it doesn’t need to refer to it on disk again.
Currently I’m using autofs to mount the partition as needed and this seems to be working well. It’s probably possible to go back to mounting the partition at a stable location from within the script without too much hassle.
You can grab the script from http://www.mattb.net.nz/debian/misc/manage-keys
The remaining details for my configuration are below:
First, setup udev to rename the key partitions to a static name and then fire the script at the appropriate times
/etc/udev/rules.d/usbkey.rules
Then setup autofs to mount the partition on demand
/etc/auto.master
/etc/auto.usbkey
I keep only id_dsa and secring.gpg on the key and symlink from the appropriate places in my homedir to /media/usb/keys/
And that’s basically it. The script takes care of the rest.
The main problem I’m having with the script at the moment is that it doesn’t autolock the screen when you remove the key because gnome-screensaver-command is lacking the necessary environment variables to find the DBUS socket it needs to talk to its backend. Need to read up on DBUS/gnome-screensaver and sort out how to fix that tommorrow.
Update: Updated example udev config so it doesn’t run a script out of /home
I’m still not entirely happy with the solution that I’ve come up with, but I figure its working well enough to get some feedback now.
It’s based very heavily on the usb-storage script originally written by Sean Finney, so I think that means I owe him Pizza now. However while its based on the usb-storage script it has changed in a few major ways:
Use udev rather than hotplug
Support GPG as well as SSH keys
Script no longer responsible for mounting partition
The mounting of the partition is the key change and I’m still tossing up whether the way I’m doing it is best or whether I should return to having it handled by the script. The primary reason for changing it was to allow the partition to be mounted in a stable location (as opposed to a random directory under /var/tmp) so that I could symlink from appropriate places in my home directory to the partition on the key.
The symlinking is needed to keep GPG happy as the gpg-agent seems to store only the passphrase and requires access to the private key whenever you need to sign/encrypt something. The way ssh-agent works is much nicer in this respect, in that once you’ve loaded a key into the agent it doesn’t need to refer to it on disk again.
Currently I’m using autofs to mount the partition as needed and this seems to be working well. It’s probably possible to go back to mounting the partition at a stable location from within the script without too much hassle.
You can grab the script from http://www.mattb.net.nz/debian/misc/manage-keys
The remaining details for my configuration are below:
First, setup udev to rename the key partitions to a static name and then fire the script at the appropriate times
/etc/udev/rules.d/usbkey.rules
ACTION=="add", KERNEL=="sd?2", SYSFS{serial}="A0494386139B005B", NAME="%k", SYMLINK="usbkeys", RUN+="/usr/local/bin/manage-keys" ACTION=="remove", KERNEL=="sd?2", RUN+="/usr/local/bin/manage-keys"
Then setup autofs to mount the partition on demand
/etc/auto.master
/media/usb /etc/auto.usbkey --timeout=10
/etc/auto.usbkey
keys -fstype=ext3,ro,noatime,nosuid,nodev :/dev/usbkeys
I keep only id_dsa and secring.gpg on the key and symlink from the appropriate places in my homedir to /media/usb/keys/
matt@argon:~$ ls -l .ssh/ total 76 -rw------- 1 matt matt 612 2006-04-12 22:45 authorized_keys -rw-r--r-- 1 matt matt 2694 2006-04-12 22:46 config lrwxrwxrwx 1 matt matt 22 2006-04-13 01:08 id_dsa -> /media/usb/keys/id_dsa -rw-r--r-- 1 matt matt 612 2006-04-12 22:46 id_dsa.pub -rw-r--r-- 1 matt matt 58851 2006-04-12 23:10 known_hosts matt@argon:~$ ls -l .gnupg/ total 2336 -rw-r--r-- 1 matt matt 126 2006-04-12 22:56 gpg.conf drwx------ 2 matt matt 4096 2006-04-12 23:07 private-keys-v1.d -rw------- 1 matt matt 1175737 2006-04-12 23:29 pubring.gpg -rw------- 1 matt matt 600 2006-04-13 01:51 random_seed lrwxrwxrwx 1 matt matt 27 2006-04-13 01:08 secring.gpg -> /media/usb/keys/secring.gpg -rw------- 1 matt matt 10560 2006-04-12 23:27 trustdb.gpg
And that’s basically it. The script takes care of the rest.
The main problem I’m having with the script at the moment is that it doesn’t autolock the screen when you remove the key because gnome-screensaver-command is lacking the necessary environment variables to find the DBUS socket it needs to talk to its backend. Need to read up on DBUS/gnome-screensaver and sort out how to fix that tommorrow.
Update: Updated example udev config so it doesn’t run a script out of /home
相关文章推荐
- SSH - GitLab: Deploy keys are not allowed to push code. fatal: Could not read from remote repository
- SSH - GitLab: Deploy keys are not allowed to push code. fatal: Could not read from remote repository
- Stealing unencrypted SSH-agent keys from memory
- Exception loading sessions from persistent storage
- How To Set Up SSH Keys
- Data obtained from ping: is it round trip or one way?
- 使用OGG"Loading data from file to Replicat"的方法应该注意的问题:replicat进程是前台进程
- [__NSPlaceholderDictionary initWithObjects:forKeys:count:]: attempt to insert nil object from object
- ssh配置authorized_keys后仍然需要…
- 报错:id to load is required for loading,原因关于ssh中模型驱动
- SSH错误:An association from the table orderitem refers to an unmapped class
- 解决ssh添加用户公钥到~/.ssh/authorized_keys文件后任然无法无密码登录的问题
- Exception loading sessions from persistent storage异常
- 调用系统相机:[__NSPlaceholderDictionary initWithObjects:forKeys:count:]: attempt to insert nil object from
- 记录无法安装mysql-Invalid GPG Key from file:/etc/pki/rpm-gpg/RPM-GPG-KEY-mysql的解决办法
- 解决添加软件源错误(gpgkeys: HTTP fetch error 7: couldn't connect to host)的问题
- Exception loading sessions from persistent storage
- Generating SSH Keys
- Modifying SSH to Capture Login Credentials from Attackers
- NeHe OpenGL Lesson38 – Loading Textures From A Resource File