Getting started with private keys on smartcards

I found these guides to be useful when I was getting started:

Wondering about how long your password/passphrase should be? Read more about it on entropy of passwords.

Using Smartcards for SSH Authentication

  • For the first time on a new computer, first install gpg:

    $ gpg --recv-keys C0023FA0
    $ mkdir $(gpgconf --list-dirs homedir)

    See the sections below for additional Mac and Windows steps to run, respectively.

  • To start running ssh operations,

    # start daemon
    $ gpg --card-edit
    # tell ssh to use gpg as the authentication agent
    $ export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
    # check
    $ ssh-add -l
    256 SHA256:11112222aaaabbbb11112222aaaa4EF+qbZw/JZ5OYU cardno:FFFE12345566 (ED25519)
  • If wonky,

    $ gpgconf --kill gpg-agent
    $ gpg --card-edit

Additional Setup on Mac

  • Use pinentry, a nice UI for pin entry. Otherwise the curses1 password entry unexpectedly waits for password in some other terminal (namely the one you started gpg-agent in…)

    # add-on to list of packages to install
    $ brew install ... pinentry-mac
    # receive keys and mkdir...
    $ ...
    # tell gpg to use pinentry-mac
    $ printf "pinentry-program %s\n" "$(which pinentry-mac)" >> $(gpgconf --list-dirs homedir)/gpg-agent.conf

Additional Setup on Windows

Assuming you’re using PuTTY as your ssh client, we can leverage gpg’s support for PuTTY.

  • After installing, configure gpg to enable PuTTY support.

    # receive keys and mkdir...
    $ ...
    $ echo enable-putty-support > $(gpgconf --list-dirs homedir)/gnupg/gpg-agent.conf
  • Start gpg-agent daemon

    $ gpg --card-edit
    > quit
  • Accept host key in PuTTY

    $ plink
  • tell git to use plink:

    GIT_SSH_COMMAND=plink git clone

Side-by-side with Krypton

Krypton sets up ~/.ssh/config. We need to tell git to use ssh without that config file, via -F.

GIT_SSH_COMMAND='ssh -F /dev/null' git clone