Thursday, December 17, 2009

Manage SSH and GPG keys efficiently in KDE

Manage SSH and GPG keys efficiently in KDE                                                                                                                                                                                                      
                                                                                                                                                                                                                                                                               
  Introduction                                                                                                                                                                                                                                 
    Here I present a simple way to handle SSH and GPG keys easily in KDE4.                                                                                                                                                                       
    These method presents several advantages:                                                                                                                                                                                                    
                                                                                                                                                                                                                                                                               
      * Works great with KDE4 that ships with Kubuntu Maverick Meerkat and may                                                                                                                                                                    
        work in other KDE distributions without too much trouble.                                                                                                                                                                                 
      * Use Kwallet as the passphrase manager so you unlock Kwallet once on                                                                                                                                                                       
        login and from there it will handle all passphrase requests.                                                                                                                                                                              
      * Works great with automated tasks (via cron or incron) that use SSH key                                                                                                                                                                    
        authentication (e.g. famous rsync unexplained error 255).                                                                                                                                                                                 
                                                                                                                                                                                                                                                                               
  Pre-requisities                                                                                                                                                                                                                              
                                                                                                                                                                                                                                                                               
    Considering that you are reading this post because you need a better way                                                                                                                                                                     
    to manage you ssh and gpg keys then it is safe to assume you have already                                                                                                                                                                    
    generated your ssh/gpg keys and that you know how to use them.                                                                                                                                                                               
                                                                                                                                                                                                                                                                               
  Disable KDE4 from starting ssh-agent and gpp-agent                                                                                                                                                                                           
                                                                                                                                                                                                                                                                               
    Kubuntu 10.10 by default starts the ssh-agent and gpg-agent causing some                                                                                                                                                                     
    conflicts with this setup based on keychain. Using the default                                                                                                                                                                               
    configuration does not seem to use kwallet and certainly does not work                                                                                                                                                                       
    with kmail/mutt so I prefer to disable these and enable keychain instead.                                                                                                                                                                    
                                                                                                                                                                                                                                                                               
    To disable the default ssh-agent edit the "/etc/X11/Xsession.options" file                                                                                                                                                         
    and comment out the line that says use-ssh-agent.                                                                                                                                                                                            
                                                                                                                                                                                                                                                 
    To disable the default gpg-agent edit the "~/.gnupg/gpg.conf" file and                                                                                                                                                             
    comment out the line that says use-agent.                                                                                                                                                                                                    
                                                                                                                                                                                                                                                                               
    With these default agent's disabled now we can configure KDE to use                                                                                                                                                                          
    keychain that I consider a superior tool to handle ssh/gpg keys.                                                                                                                                                                             
                                                                                                                                                                                                                                                                               
  SSH/GPG Key management with KWallet                                                                                                                                                                                                          
                                                                                                                                                                                                                                                                               
    First we install the needed software packages:                                                                                                                                                                                               
                                                                                                                                                                                                                                                                               
    ; sudo aptitude install keychain ksshaskpass kwalletcli                                                                                                                                                                                       
                                                                                                                                                                                                                                                                               
    configure the "~/.gnupg/gpg-agent.conf" file so it uses the kwallet                                                                                                                                                                
    pinentry program to manage gpg keys. Simply add the pinentry-program line                                                                                                                                                                    
    or replace it if it already exists with:                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                               
    ; pinentry-program /usr/bin/pinentry-kwallet                                                                                                                                                                                                  
                                                                                                                                                                                                                                                                               
    Now we need to load keychain and all the environment variables it sets                                                                                                                                                                       
    when KDE starts. To do this we simply create a small script, say                                                                                                                                                                             
    "keychain.sh" and put it inside out ".kde/env" directory. The script                                                                                                                                                     
    contains these lines:                                                                                                                                                                                                                        
                                                                                                                                                                                                                                                                               
    <SCRIPT                                                                                                                                                                                                                                 
    < #!/bin/sh                                                                                                                                                                                                                             
    < ################################################################################                                                                                                                                                      
    < # Load keychain to handle ssh and gpg keys                                                                                                                                                                                            
    < ################################################################################                                                                                                                                                      
    < if [ -f /usr/bin/keychain ]; then                                                                                                                                                                                                     
    <   if [ -f /usr/bin/ksshaskpass ]; then                                                                                                                                                                                                
    <     export SSH_ASKPASS=/usr/bin/ksshaskpass                                                                                                                                                                                           
    <   else                                                                                                                                                                                                                                
    <     export SSH_ASKPASS=/usr/bin/askpass                                                                                                                                                                                               
    <   fi                                                                                                                                                                                                                                  
    <   /usr/bin/keychain                                                                                                                                                                                                                   
    <   $HOME/.keychain/`hostname`-sh                                                                                                                                                                                                       
    <   $HOME/.keychain/`hostname`-sh-gpg                                                                                                                                                                                                   
    < fi                                                                                                                                                                                                                                    
                                                                                                                                                                                                                                                                               
    what this does is to setup the SSH_ASKPASS environment variable to use the                                                                                                                                                                   
    ksshaskpass program that handles ssh keys inside KWallet. Then invokes                                                                                                                                                                       
    keychain which starts the ssh-agent and gpg-agent daemons and sets some                                                                                                                                                                      
    environment variables so all KDE applications can see them.                                                                                                                                                                                  
                                                                                                                                                                                                                                                                               
    Finally we must load our ssh/gpg keys into keychain. The best place to do                                                                                                                                                                    
    this is with the KDE Autostart scripts. Simply create a script, say                                                                                                                                                                          
    add_keys.sh, into you ".kde/Autostart" folder that contains something                                                                                                                                                              
    like: 
                                                                                                                                                                                                                                                                               
    <SCRIPT                                                                                                                                                                                                                                 
    < #!/bin/sh                                                                                                                                                                                                                             
    < ################################################################################                                                                                                                                                      
    < # Load keychain to handle ssh and gpg keys                                                                                                                                                                                            
    < ################################################################################                                                                                                                                                      
    < if [ -f /usr/bin/keychain ]; then                                                                                                                                                                                                     
    <   if [ -f /usr/bin/ksshaskpass ]; then                                                                                                                                                                                                
    <     export SSH_ASKPASS=/usr/bin/ksshaskpass                                                                                                                                                                                           
    <   else                                                                                                                                                                                                                                
    <     export SSH_ASKPASS=/usr/bin/askpass                                                                                                                                                                                               
    <   fi                                                                                                                                                                                                                                  
    <   /usr/bin/keychain                                                                                                                                                                                                                   
    <   $HOME/.keychain/`hostname`-sh                                                                                                                                                                                                       
    <   $HOME/.keychain/`hostname`-sh-gpg                                                                                                                                                                                                   
    < fi                                                                                                                                                                                                                                    
                                                                                                                                                                                                                                                                               
    what this does is to setup the SSH_ASKPASS environment variable to use the                                                                                                                                                                   
    ksshaskpass program that handles ssh keys inside KWallet. Then invokes                                                                                                                                                                       
    keychain which starts the ssh-agent and gpg-agent daemons and sets some                                                                                                                                                                      
    environment variables so all KDE applications can see them.                                                                                                                                                                                  
                                                                                                                                                                                                                                                                               
    Finally we must load our ssh/gpg keys into keychain. The best place to do                                                                                                                                                                    
    this is with the KDE Autostart scripts. Simply create a script, say                                                                                                                                                                          
    add_keys.sh, into you ".kde/Autostart" folder that contains something                                                                                                                                                              
    like:                                                                                                                                                                                                                                        
                                                                                                                                                                                                                                                                               
    <SCRIPT                                                                                                                                                                                                                                 
    < #!/bin/sh                                                                                                                                                                                                                             
    < ################################################################################                                                                                                                                                      
    < # Load keychain to handle ssh and gpg keys                                                                                                                                                                                            
    < ################################################################################                                                                                                                                                      
    < if [ -f /usr/bin/keychain ]; then                                                                                                                                                                                                     
    <  /usr/bin/keychain id_rsa 0x12345 0x23456                                                                                                                                                                                             
    <  $HOME/.keychain/`hostname`-sh                                                                                                                                                                                                        
    <  $HOME/.keychain/`hostname`-sh-gpg                                                                                                                                                                                                    
    < fi                                                                                                                                                                                                                                    
                                                                                                                                                                                                                                                                               
    what this Autostart script does is to load your ssh key (id_rsa) and gpg                                                                                                                                                                     
    keys (0x12345, 0x23456) into keychain. The next time you log into a KDE                                                                                                                                                                      
    session this script will ask you if you want to give keychain access to                                                                                                                                                                      
    Kwallet and then ask all the registered key passphrases. Once registered                                                                                                                                                                     
    with kwallet all your applications will be able to use these keys without                                                                                                                                                                    
    asking you for the passphrase each time.                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                               
    Make sure the env and Autostart scripts have exec privileges:                                                                                                                                                                                
                                                                                                                                                                                                                                                                               
    ; chmod +x ~/.kde/env/keychain.sh                                                                                                                                                                                                             
    ; chmod +x ~/.kde/Autostart/add_key.sh                                                                                                                                                                                                        

1 comment:

  1. Heh, nice that you use kwalletcli, thanks! It does bring its own kwalletaskpass with it, though.

    ReplyDelete