Mailing List Archive: No SSH public key authentication using smartcard

No SSH public key authentication using smartcard

Nov 25, 2023, 1:02 AM

Post #1 of 10 (338 views)

Hello,
I'm trying to configure a solution for this use case:
SSH                SSH
Client                ---->    Jumphost    ---->    Server
(Windows 11)                   (Linux)              (Linux)

I connect a Nitrokey security-token (that is comparable to Yubikey) with
OpenPGP keys to my client.
And I want to use this Nitrokey for SSH login to remote servers.

For this I installed GPG4Win on my client and configured file
gpg-agent.conf:
enable-ssh-support
To Enable support for PuTTY
enable-putty-support
To Enable support for the native Microsoft OpenSSH binaries (requires
gpg 2.4.0 / Gpg4win 4.1.0 or higher)
enable-win32-openssh-support
use-standard-socket
default-cache-ttl 600
max-cache-ttl 7200

Then I (re-) start the gpg-agent and try to SSH into the Jumphost using
command ssh <fqdn-jumphost> in Windows PowerShell.
Here I get a popup window where I must enter the PIN previously set on
Nitrokey.
After this I'm connected to the jumphost (Linux).

Now I want to connect to the server using command ssh <fqdn-server>,
however I need to enter a password.
This means public key authentication fails.
And I think this fails because SSH agent forwarding is not working.

Can you please advise how to SSH agent forwarding in my setup correctly?

THX
Thomas

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard [ In reply to ]

gnupg-users at gnupg

Nov 25, 2023, 3:30 AM

Post #2 of 10 (338 views)

Permalink

Coincidentally, I have a similar setup. Fortunately, you do *not* need
Agent Forwarding for authentication via jump hosts.

The entry for your host (in “~/.ssh/config”) for this host should look
something like this:

Host myalias
HostName myserver.com
ProxyJump jumpserver.net
IdentityAgent %d/.gnupg/S.gpg-agent.ssh

There may be some Windows-specific pitfalls. Perhaps you have to be
careful with the line breaks (Unix versus Windows convention) in the
configuration files.

Regards
Stephan

Re: No SSH public key authentication using smartcard [ In reply to ]

gnupg-users at gnupg

Nov 25, 2023, 4:24 AM

Post #3 of 10 (338 views)

Permalink

Hello Stephan,

thanks for your reply.

When you say I should modify ~/.ssh/config, where is this file?
On jumphost?

Actually I have a working setup on Windows 10, but here I use another
terminal emulator: MobaXterm.
And in the settings of MobaXterm I enabled SSH forwarding.

As of now I don't want to continue using MobaXterm on Windows 11, but
using Windows Terminal.

THX

Am 25.11.23 um 12:30 schrieb Stephan Verbücheln via Gnupg-users:
> Coincidentally, I have a similar setup. Fortunately, you do *not* need
> Agent Forwarding for authentication via jump hosts.
>
> The entry for your host (in “~/.ssh/config”) for this host should look
> something like this:
>
> Host myalias
> HostName myserver.com
> ProxyJump jumpserver.net
> IdentityAgent %d/.gnupg/S.gpg-agent.ssh
>
> There may be some Windows-specific pitfalls. Perhaps you have to be
> careful with the line breaks (Unix versus Windows convention) in the
> configuration files.
>
> Regards
> Stephan
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard [ In reply to ]

gnupg-users at gnupg

Nov 25, 2023, 10:31 AM

Post #4 of 10 (338 views)

Permalink

Re: No SSH public key authentication using smartcard [ In reply to ]

bernd at kr217

Nov 25, 2023, 11:10 AM

Post #5 of 10 (338 views)

Permalink

On 25.11.23 13:24, Thomas Schneider via Gnupg-users wrote:
> Hello Stephan,
>
> thanks for your reply.
>
> When you say I should modify ~/.ssh/config, where is this file?
> On jumphost?
>
> Actually I have a working setup on Windows 10, but here I use another
> terminal emulator: MobaXterm.
> And in the settings of MobaXterm I enabled SSH forwarding.
>
> As of now I don't want to continue using MobaXterm on Windows 11, but
> using Windows Terminal.

Hey Stephan,

I can not answer where to find that file on windows, but the first hit
with google: https://stackoverflow.com/a/56536275

You can also set these options directly on the command line:
```
ssh -o IdentityAgent='%d/.gnupg/S.gpg-agent.ssh' -o
ProxyJump=jumpserver.example.net targethost.example.org
```

I'm not sure if you really have to set the IdentityAgent if your GPG and
SSH Agent Socket is setup correctly...

Do you see something with `ssh-add -L`? If yes, then you should not have
a need to set IdentityAgent for a Host. (Only if you have multiple
Agents or you have to specify it only for certain hosts etc etc but if
its your only Agent and you have no special requirements, then just
leave it out IF `ssh-add -L` shows you the key from your card.)

Good luck,
Bernd

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard [ In reply to ]

gnupg-users at gnupg

Nov 27, 2023, 5:43 AM

Post #6 of 10 (335 views)

Permalink

Hello Stephan,

thanks for your reply.

When you say I should modify ~/.ssh/config, where is this file?
On jumphost?

Actually I have a working setup on Windows 10, but here I use another
terminal emulator: MobaXterm.
And in the settings of MobaXterm I enabled SSH forwarding.

As of now I don't want to continue using MobaXterm on Windows 11, but
using Windows Terminal.

Please not that I have not installed git for windows [1] that includes
tool "Git BASH"; I don't think that this additional terminal is required
to use SSH.

I can run ssh-add.exe -L in Windows PowerShell and get the correct SSH
public key fetched from secure card.

But once connected to jumphost, all SSH relevant information is
unavailable.

THX

On 2023-11-25 12:30, Stephan Verbücheln via Gnupg-users wrote:

> Coincidentally, I have a similar setup. Fortunately, you do *not* need
> Agent Forwarding for authentication via jump hosts.
>
> The entry for your host (in "~/.ssh/config") for this host should look
> something like this:
>
> Host myalias
> HostName myserver.com
> ProxyJump jumpserver.net
> IdentityAgent %d/.gnupg/S.gpg-agent.ssh
>
> There may be some Windows-specific pitfalls. Perhaps you have to be
> careful with the line breaks (Unix versus Windows convention) in the
> configuration files.
>
> Regards
> Stephan
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users

Links:
------
[1] https://gitforwindows.org/

Re: No SSH public key authentication using smartcard [ In reply to ]

gnupg-users at gnupg

Nov 27, 2023, 6:53 PM

Post #7 of 10 (334 views)

Permalink

Thomas via Gnupg-users wrote:
> Hello Stephan,
>
> thanks for your reply.
>
> When you say I should modify ~/.ssh/config, where is this file?
> On jumphost?

You need to configure SSH agent forwarding on your client, which will
provide access to your local SSH agent at the jumphost via the SSH
connection between your client and the jumphost. Since you are using a
Windows client, ~/.ssh/config may not be relevant to your configuration.

-- Jacob

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard [ In reply to ]

gnupg-users at gnupg

Nov 27, 2023, 10:02 PM

Post #8 of 10 (334 views)

Permalink

Hi,
this is exactly what I thought.
However, there's no solution for it.

Let me repeat my comments posted previously to get an overview what is
working...
Actually I have a working setup on Windows 10, but here I use another
terminal emulator: MobaXterm.
And in the settings of MobaXterm I enabled SSH forwarding.
As of now I don't want to continue using MobaXterm on Windows 11, but
using Windows Terminal.
I can run ssh-add.exe -L in Windows PowerShell and get the correct SSH
public key fetched from secure card.

THX

Am 28.11.23 um 03:53 schrieb Jacob Bachmeyer:
> Thomas via Gnupg-users wrote:
>> Hello Stephan,
>>
>> thanks for your reply.
>>
>> When you say I should modify ~/.ssh/config, where is this file?
>> On jumphost?
>
> You need to configure SSH agent forwarding on your client, which will
> provide access to your local SSH agent at the jumphost via the SSH
> connection between your client and the jumphost. Since you are using
> a Windows client, ~/.ssh/config may not be relevant to your
> configuration.
>
>
> -- Jacob

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard [ In reply to ]

gnupg-users at gnupg

Nov 28, 2023, 7:27 PM

Post #9 of 10 (333 views)

Permalink

Thomas wrote:
> Hi,
> this is exactly what I thought.
> However, there's no solution for it.
>
> Let me repeat my comments posted previously to get an overview what is
> working...
> Actually I have a working setup on Windows 10, but here I use another
> terminal emulator: MobaXterm.
> And in the settings of MobaXterm I enabled SSH forwarding.
> As of now I don't want to continue using MobaXterm on Windows 11, but
> using Windows Terminal.
> I can run ssh-add.exe -L in Windows PowerShell and get the correct SSH
> public key fetched from secure card.

If you are using a Windows port of OpenSSH, try "ssh.exe -o ForwardAgent
JUMPHOST" and see if that makes your local SSH agent available at the
jumphost. As I do not use Windows, I do not know where that Windows
port would expect to find its configuration file.

-- Jacob

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard [ In reply to ]

gnupg-users at gnupg

Nov 28, 2023, 10:01 PM

Post #10 of 10 (333 views)

Permalink

To my knowledge, no (explicit) agent forwarding is required for
ProxyJump configurations.

I am using the following configuration to access a LAN machine over the
Internet. Both machines use the GnuPG key for authentication.

Host rdeep
HostName 192.168.1.151
ProxyJump verbuecheln.ch
IdentityAgent ${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh

This also works when the Internet connection is using IPv6 and the LAN
connection is using IPv4. SSH takes care of these things transparently.

Regards
Stephan

Mailing List Archive

Attached Files:

Attached Files: