30.05.2009 21:22

Application of the GPG Passphrase Agent

Now that some are using GnuPG for the first time (at least I like to think you are) you noticed that almost any action requires your passphrase. I'd like to introduce you to the GnuPG Agent which is used for key management. Using an agent you can, among other things, enter your passphrase only once, the first time it is needed. On all subsequent actions the agent will take care of it. It's similar to what the ssh-agent does with SSH keys.

GPG should use the agent when ever possible. Added to "~/.gnupg/gpg.conf":

# Passphrase agent
Since you are editing config files you should prepare the agent one now, "~/.gnupg/gpg-agent.conf":
# Environment file
write-env-file /home/user/.gnupg/gpg-agent.info
# Cache settings
default-cache-ttl 3600
default-cache-ttl-ssh 3600
# PIN entry program
#pinentry-program /usr/bin/pinentry-curses
pinentry-program /usr/bin/pinentry-gtk-2
# SmartCard daemon
#scdaemon-program /usr/bin/scdaemon
Agent makes use of the pinentry package, which provides a collection of simple PIN and passphrase entry dialogs. You can choose between the ncurses, gtk and qt versions.

You can start the agent from your "~/.xinitrc" file.
# Start the GnuPG agent and enable OpenSSH agent emulation

if ( pgrep -u "${USER}" gpg-agent ); then
    eval `cat $gnupginf`
    eval `cut -d= -f1 $gnupginf | xargs echo export`
    eval `gpg-agent --enable-ssh-support --daemon`
That is all. You enter your passphrase once, first time it is needed, and for the rest of the session (see the cache section in the manual page) you can work transparently. However you will notice that I enabled the SSH support. The previously mentioned ssh-agent does a similar thing for your SSH keys, but you can avoid running both since the GPG agent has SSH emulation. If you are not using the SSH agent it's a good time to start.

SSH public key authentication can be used by a client to access remote systems without the need for the login password. It makes remote access easier and allows for all kinds of automation. Additionally if password logins are forbidden it drastically enhances your security. Because now you have two-factor authentication, something you have (your key) and something you know (your passphrase). An attacker can not guess your password or try to brute-force it, but even if he knew your key passphrase it would be useless without the key.

You can generate a key pair with:
$ ssh-keygen -t rsa -b 4096
I don't need to tell you that you should pick a decent passphrase when prompted and never choose the easy way and leave it empty. Now you have two new files in your "~/.ssh" directory: "id_rsa" with your private and "id_rsa.pub" with your public key. You should copy your public key to a remote server with >scp or ssh-copy-id (note that many servers are configured too look for the keys in files named: "authorized_keys" or "authorized_keys2", you can rename your "id_rsa.pub" file, create a symlink or append its contents to an existing keys file). When your key is on the server you can try to login. As with GPG you are asked for your passphrase every time. This is where the agent comes in, if you use one you are asked for your passphrase only the first time, while all other logins are completely transparent.

If your gpg-agent is running by now, with SSH emulation, you should add your key to the agent. The list of allowed keys is stored in the "~/.gnupg/sshcontrol" file. As with the ssh-agent you need to use the ssh-add utility. It's as simple as:
$ ssh-add
...and your key is approved. Your agent is now taking care of both GPG and SSH keys, making your life much easier.

Last tip. To make use of the agent in a cronjob you need to export SSH_AUTH_SOCK, since it changes with every session you can do something like:
* * * * * SSH_AUTH_SOCK=`find /tmp/gpg-* -name S.gpg-agent.ssh` ssh ... ...
...or read the needed data from the agent information file (see the above xinitrc example).

Written by anrxc | Permalink | Filed under crypto, desktop, work