brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(kb/ssh): improved examples and readibility

Browse Source
This commit is contained in:
Michele Cereda
2024-04-21 00:46:02 +02:00
parent 774df5cee7
commit a43eb84589
4 changed files with 60 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
examples/ssh/ssh_config
View File

@@ -12,6 +12,9 @@
## - host sections only apply to the matched names
## - canonicalization forces a configuration reload to check the now canonical
## host name against the configuration
##
## Sources:
## - https://man.openbsd.org/ssh_config
################################################################################
# Canonicalize host names as first thing

24
examples/ssh/sshd_config
View File

@@ -1,14 +1,16 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
################################################################################
## /etc/ssh/sshd_config
##
## SSHD server system-wide configuration file.
##
## This sshd was compiled with PATH='/usr/bin:/bin:/usr/sbin:/sbin'.
## The strategy used for options in the default sshd_config shipped with OpenSSH
## is to specify options with their default value where possible, but leave them
## commented. Uncommented options override the default value.
##
## Sources:
## - https://man.openbsd.org/sshd_config
################################################################################
#Port 22
#AddressFamily any

46
knowledge base/gnupg.md
View File

@@ -11,10 +11,10 @@
1. [Unattended key generation](#unattended-key-generation)
1. [Change a key's password](#change-a-keys-password)
1. [Put comments in a message or file](#put-comments-in-a-message-or-file)
1. [Use a GPG key for SSH authentication](#use-a-gpg-key-for-ssh-authentication)
1. [Create an authentication-capable key or subkey](#create-an-authentication-capable-key-or-subkey)
1. [Enable SSH to use the GPG subkey](#enable-ssh-to-use-the-gpg-subkey)
1. [Share the GPG-SSH key](#share-the-gpg-ssh-key)
1. [Use GPG keys for SSH authentication](#use-gpg-keys-for-ssh-authentication)
1. [Create authentication-capable keys or subkeys](#create-authentication-capable-keys-or-subkeys)
1. [Enable SSH to use GPG (sub)keys](#enable-ssh-to-use-gpg-subkeys)
1. [Share GPG-SSH keys](#share-gpg-ssh-keys)
1. [Troubleshooting](#troubleshooting)
1. [`gpg failed to sign the data; fatal: failed to write commit object`](#gpg-failed-to-sign-the-data-fatal-failed-to-write-commit-object)
1. [`sign_and_send_pubkey: signing failed for … from agent: agent refused operation`](#sign_and_send_pubkey-signing-failed-for--from-agent-agent-refused-operation)
@@ -163,7 +163,8 @@ gpg --output 'file.out' --decrypt 'file.in.gpg'
find . -type f -name "*.gpg" -exec gpg --decrypt-files {} +
```
The second command will create the decrypted version of all files in the same directory. Each file will have the same name of the encrypted version, minus the `.gpg` extension.
The second command will create the decrypted version of all files in the same directory. Each file will have the same
name of the encrypted version, minus the `.gpg` extension.
## Key export
@@ -179,7 +180,8 @@ gpg --output 'file.out.gpg' --encrypt --recipient 'recipient' 'file.in'
gpg --armor --symmetric --output 'file.out.gpg' 'file.in'
```
Export all encrypted private keys (which will also include corresponding public keys) to a text file and create an encrypted version of that file:
Export all encrypted private keys (which will also include corresponding public keys) to a text file and create an
encrypted version of that file:
```sh
# Export.
@@ -199,7 +201,8 @@ gpg --export-ownertrust > 'otrust.txt'
## Key import
As the new user execute `gpg --import` commands against the secured files, or the decrypted content of those files, and then check for the new keys with `gpg -k` and `gpg -K`, e.g.:
As the new user execute `gpg --import` commands against the secured files, or the decrypted content of those files, and
then check for the new keys with `gpg -k` and `gpg -K`, e.g.:
```sh
gpg --output 'myprivatekeys.asc' --decrypt 'mysecretatedprivatekeys.sec.asc' && \
@@ -267,18 +270,20 @@ hQIMAwbYc…
```
OpenPGP defines all text to be in UTF-8, so a comment may be any UTF-8 string.<br/>
The whole point of armoring, however, is to provide seven-bit-clean data, so if a comment has characters that are outside the US-ASCII range of UTF they may very well not survive transport.
The whole point of armoring, however, is to provide seven-bit-clean data, so if a comment has characters that are
outside the US-ASCII range of UTF they may very well not survive transport.
## Use a GPG key for SSH authentication
## Use GPG keys for SSH authentication
> See also [How to enable SSH access using a GPG key for authentication].
This exercise will use a GPG subkey with only the authentication capability enabled to complete SSH connections.<br/>
You can create multiple subkeys as you would do for SSH key pairs.
### Create an authentication-capable key or subkey
### Create authentication-capable keys or subkeys
To create subkeys, you should already have a GPG key. If you don't, read one of the many fine tutorials available on this topic.<br/>
To create subkeys, you should already have a GPG key. If you don't, read one of the many fine tutorials available on
this topic.<br/>
Create the subkey by editing your existing key **in expert mode** to get access to the appropriate options:
```sh
@@ -345,17 +350,20 @@ gpg> quit
Save changes? (y/N) y
```
### Enable SSH to use the GPG subkey
### Enable SSH to use GPG (sub)keys
When using SSH, `ssh-agent` is used to manage SSH keys. When using a GPG key, `gpg-agent` is used to manage GPG keys.<br/>
When using SSH, `ssh-agent` is used to manage SSH keys. When using a GPG key, `gpg-agent` is used to manage GPG
keys.<br/>
To get `gpg-agent` to handle requests from SSH, you need to enable its SSH support:
```sh
echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
```
You can avoid using `ssh-add` to load the keys by preemptively specifying which GPG keys to use in the `~/.gnupg/sshcontrol` file.<br/>
Entries in this file need to be keygrips (internal identifiers that `gpg-agent` uses to refer to the keys). A keygrip refers to both the public and private key.<br/>
You can avoid using `ssh-add` to load the keys by preemptively specifying which GPG keys to use in the
`~/.gnupg/sshcontrol` file.<br/>
Entries in this file need to be keygrips (internal identifiers that `gpg-agent` uses to refer to the keys). A keygrip
refers to both the public and private key.<br/>
Find the keygrips you need, then add them to the `~/.gnupg/sshcontrol` file:
```sh
@@ -407,9 +415,10 @@ $ ssh-add -L
ssh-rsa AAAAB3NzaC…7SD8UQ== (none)
```
### Share the GPG-SSH key
### Share GPG-SSH keys
Run `ssh-add -L` to list your public keys and copy them over manually to the remote host, or use `ssh-copy-id` as you would normally do.
Run `ssh-add -L` to list one's public keys, then copy them over manually to the remote host.<br/>
Alternatively, use `ssh-copy-id` as one would normally do.
## Troubleshooting
@@ -429,7 +438,8 @@ Run `ssh-add -L` to list your public keys and copy them over manually to the rem
**Cause:**
The environment variable `GPG_TTY` was not set and Pinentry could not reach the terminal session to prompt for the key's passphrase.
The environment variable `GPG_TTY` was not set and Pinentry could not reach the terminal session to prompt for the key's
passphrase.
**Solution:**

29
knowledge base/ssh.md
View File

@@ -19,7 +19,7 @@
1. [Troubleshooting](#troubleshooting)
1. [No matching host key type found](#no-matching-host-key-type-found)
1. [Further readings](#further-readings)
1. [Sources](#sources)
1. [Sources](#sources)
## TL;DR
@@ -178,7 +178,8 @@ When connecting to a host, the SSH client will use settings:
1. from the user's `~/.ssh/config` file,
1. from the `/etc/ssh/ssh_config` file
Settings are loaded in a first-come-first-served way. They should hence appear from the most specific to the most generic, both by file and by position in those files:
Settings are loaded in a **first-come-first-served** way. They should hence appear from the most specific to the most
generic, both by file and by position in those files:
```ssh-config
Host targaryen
@@ -286,7 +287,8 @@ Notable options:
- `auto_cache` enables caching based on modification times;
- `reconnect` reconnects to the server;
- `defer_permissions` works around the issue where certain shares may mount properly, but cause _permissions denied_ errors when accessed (caused by how Mac OS X's Finder translates and interprets permissions;
- `defer_permissions` works around the issue where certain shares may mount properly, but cause _permissions denied_
errors when accessed (caused by how Mac OS X's Finder translates and interprets permissions;
- `noappledouble` prevents Mac OS X to write `.DS_Store` files on the remote file system;
- `volname` defines the name to use for the volume.
@@ -314,7 +316,8 @@ Error message example:
> `Unable to negotiate with XXX port 22: no matching host key type found. Their offer: ssh-rsa.`
Cause: the server only supports the kind of RSA with SHA-1, which is considered weak and deprecated in newer SSH versions.
Cause: the server only supports the kind of RSA with SHA-1, which is considered weak and deprecated in newer SSH
versions.
Workaround: explicitly set your client to use the specified key type adding
@@ -342,10 +345,9 @@ Solution: update the SSH server.
- [`SSHD_CONFIG(5)`][sshd_config man page] man page
- [`sshd_config`][sshd_config example] example
- [ssh-agent]
- [Use GPG keys for SSH authentication]
## Sources
All the references in the [further readings] section, plus the following:
### Sources
- [Use SSHFS to mount a remote directory as a volume on OSX]
- [Using the SSH config file]
@@ -361,18 +363,19 @@ All the references in the [further readings] section, plus the following:
References
-->
<!-- Upstream -->
[ssh_config man page]: https://man.openbsd.org/ssh_config
[ssh-agent]: https://www.ssh.com/academy/ssh/agent
[sshd_config man page]: https://man.openbsd.org/sshd_config
<!-- In-article sections -->
[further readings]: #further-readings
<!-- Knowledge base -->
[use gpg keys for ssh authentication]: gnupg.md#use-gpg-keys-for-ssh-authentication
<!-- Files -->
[ssh_config example]: ../examples/ssh/ssh_config
[sshd_config example]: ../examples/ssh/sshd_config
<!-- Upstream -->
[ssh_config man page]: https://man.openbsd.org/ssh_config
[ssh-agent]: https://www.ssh.com/academy/ssh/agent
[sshd_config man page]: https://man.openbsd.org/sshd_config
<!-- Others -->
[get started with openssh for windows]: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui
[how to enable ssh access using a gpg key for authentication]: https://opensource.com/article/19/4/gpg-subkeys-ssh