GnuPG(GPG)生成用于替代SSH密钥的子密钥:签名、加密、鉴权及SSH验证

2023-06-01 00:00:00 生成 密钥 加密

上一篇文章介绍了GPG密钥创建的流程步骤,那么下面就来介绍一下使用GnuPG(GPG)生成用于替代SSH密钥的子密钥,然后用来实现以下功能:

签名、加密、鉴权、SSH验证


进入步骤:

开始生成密钥

gpg --expert --edit-key <你的名字>
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
.
Secret key is available.
.
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-08-14
sec  rsa4096/11DC61840BEB9ECD
  created: 2022-08-14  expires: 2023-08-14  usage: C
  trust: ultimate      validity: ultimate
[ultimate] (1). <你的名字> <<你的邮箱>>

ps:

你应该会看见一个由 gpg> 开头的,类似命令行的东西,我称作 GPG 控制台,下文以 gpg> 开头的就是指这里的输入。


添加子密钥,并选择自定能力

gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
Your selection? 8


添加鉴权Authenticate能力,其他两种应已默认启用,最终应有 Sign``Encrypt``Authenticate 三种能力

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
.
Your selection? A
.
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt Authenticate
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
.
Your selection? Q


输入密钥长度

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits


输入有效期

Please specify how long the key should be valid.
      0 = key does not expire
   <n>  = key expires in n days
   <n>w = key expires in n weeks
   <n>m = key expires in n months
   <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon Aug 14 18:03:22 2023 CST
Is this correct? (y/N) y
Really create? (y/N) y


输入主密钥密码(上一部分你设置的那个),并完成生成

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.
sec  rsa4096/<主密钥ID>
  created: 2022-08-14  expires: 2023-08-14  usage: C
  trust: ultimate      validity: ultimate
ssb  rsa4096/<子密钥ID>
  created: 2022-08-14  expires: 2023-08-14  usage: SEA
[ultimate] (1). <你的名字> <<你的邮箱>>

保存

gpg> save

最后你可以确认测试一下生成成功

gpg --list-keys
<保存路径>
.-------------------------------
pub   rsa4096 2022-08-14 [C] [expires: 2023-08-14]
   E08F47B250F8CB85627B2DFA11DC61840BHJKLO
uid           [ultimate] <你的名字> <<你的邮箱>>
sub   rsa4096 2022-08-14 [SEA] [expires: 2023-08-14]

ps:

如上所示,拥有认证C能力的主密钥pub以及拥有签名加密鉴权SEA能力的 sub 子密钥。



设置GPG Agent以用于SSH验证


启用GPG Agent的SSH支持

nano ~/.gnupg/gpg-agent.conf

用编辑器打开后,将 enable-ssh-support 添加到文件末尾


设置SSH_AUTH_SOCK以使SSH使用 GPG Agent 替代 SSH Agent,

将以下内容添加到对应终端的启动脚本

fish: ~/.config/fish/config.fish
bash: ~/.bashrc
zsh: ~/.zshrc


我用的是fish,不确定bash和zsh的路径是否正确

# 这是 fish 的
set -e SSH_AGENT_PID
if test -z $gnupg_SSH_AUTH_SOCK_BY; or test $gnupg_SSH_AUTH_SOCK_BY -ne $fish_pid
 set -gx SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket)
end
set -gx GPG_TTY (tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
# 这是 bash 或 zsh 的
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null


获取子密钥Keygrid

gpg --list-keys --with-keygrip
<保存路径>
.-------------------------------
pub   rsa4096 2022-08-14 [C] [expires: 2023-08-14]
   E08F47B250F12345677B2DFA11ABCDE40BEB9ECD
   Keygrip = D14395D05A68DE9876543044D42A0HGTYDEF7E38
uid           [ultimate] <你的名字> <<你的邮箱>>
sub   rsa4096 2022-08-14 [SEA] [expires: 2023-08-14]
   Keygrip = <下一步用到的子密钥Keygrid>


添加子密钥Keygrid用于SSH验证

echo <上一步得到的子密钥Keygrid> >> ~/.gnupg/sshcontrol


重启终端/控制器


检查SSH Key是否存在

ssh-add -l
4096 SHA256:8xkd+tbKlCnz2+RCRliMqGsFBQIhPBHcRl6EtJ1vBtk (none) (RSA)


导出SSH公钥

gpg --export-ssh-key <你的名字>
ssh-rsa <一长串内容> openpgp:0x193CEF1B

ps:

这整一个,连带ssh-rsa和 openpgp:XXXXXXXX就是你的公钥了,你可以将它上传到GitHub等平台


测试一下是否有效

ssh -T [email protected]
Hi sunxyw! You've successfully authenticated, but GitHub does not provide shell access.

相关文章