Using a GnuPG smart card, Yubikey/NitroKey for SSH on Mac

Install GnuPG and a decent PIN entry program #

$ brew install gnupg2 pinentry-mac

Configure GnuPG #

We’ll need to tell GnuPG to use the new PIN entry program as well as enable SSH support for its agent.

In ~/.gnupg/gpg-agent.conf:

pinentry-program /usr/local/bin/pinentry-mac
enable-ssh-support

Start the agent on startup #

GnuPG has its own mechanism to start the agent the first time you use it, so explicitly starting the agent is no longer necessary. SSH however does not support this mechanism, so if we want to use the GPG agent as an SSH agent we’ll need to make sure it’s always running. A quick change to your shell’s startup scripts (~/.zshrc.local in my case) takes care of that.

We’re exporting the location of the SSH agent socket and then checking whether a valid UNIX socket is in that path. If the check is false we launch the GPG-agent. Note that gpgconf is smart enough to not launch a second agent if one is running, so even if somehow the check fails (race condition, etc) it won’t cause any problems.

In ~/.zshrc.local:

# GnuPG

export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh

[ -S "$SSH_AUTH_SOCK" ] || gpgconf --launch gpg-agent

Finally restart your shell (just open a new terminal) and enjoy:

$ ssh-add -L
ssh-rsa AAAAB3NzaC1... cardno:000500002B9C
 
9
Kudos
 
9
Kudos

Now read this

Strongswan VPN for iOS quick-start guide

Here’s a really basic Strongswan configuration for a single client, authenticated using a PSK. This has been successfully tested with iOS 10 but should work on any other decent OS. It can be useful to secure traffic from public Wi-Fi or... Continue →