I've been trying to forward my Yubico to perform sudo authentication without having to use the password
I've successfully performed SSH auth with Yubico no macOS 12 using ssh -A user@server.com
But after I login on the remote server I tried to check the card status but got the following output
user@server.com:~$ gpg --card-status
gpg: error getting version from 'scdaemon': Forbidden
gpg: selecting card failed: Forbidden
gpg: OpenPGP card not available: Forbidden
The Yubico command also gives me the following error Yubikey core error: no yubikey present
So this is how I have my macOS set up the gpg-agent.conf
enable-ssh-support
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
default-cache-ttl 60
max-cache-ttl 120
# use-standard-socket
# extra-socket /Users/pedrocavaleiro/.gnupg/S.gpg-agent.extra
I got the local machine socket using the command gpgconf --list-dirs agent-extra-socket
and on the remote machine using the command gpgconf --list-dirs agent-socket
I configured on the local machine ~/.ssh/config
Host server.com
HostName server.com
ForwardAgent yes
User user
# RemoteForward /run/user/1000/gnupg/S.gpg-agent /Users/pedrocavaleiro/.gnupg/S.gpg-agent.extra
RemoteForward /run/user/1000/gnupg/S.gpg-agent /Users/pedrocavaleiro/.gnupg/S.gpg-agent
RemoteForward /run/user/1000/gnupg/S.gpg-agent.ssh /Users/pedrocavaleiro/.gnupg/S.gpg-agent.ssh
Also, on the remote machine I added the line StreamLocalBindUnlink yes
to the file /etc/ssh/sshd_config
and restarted the sshd
service
I've tried some other configurations from several tutorials on the internet even some provided by Yubico but without success.
I believe that after I get the Yubico being recognized on the remote machine I just need to follow these indications Using Yubikey for sudo over SSH session just adapting for Ubuntu
As of versions my local machine
macOS 12.4 (21F79)
ssh: OpenSSH_8.6p1, LibreSSL 3.3.6
gpg (GnuPG/MacGPG2) 2.2.34
libgcrypt 1.8.9
For the remote machine
Ubuntu 22.04 LTS
Kernel: 5.15.0-40-generic
ssh: OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
UPDATE 1
I updated the gpg-agent.conf
by removing
use-standard-socket
extra-socket /Users/pedrocavaleiro/.gnupg/S.gpg-agent.extra
Also updated the ~/.ssh/config
and instead of using the $.gpg-agent.extra
for the RemoteForward
I used $.gpg-agent
(visible in my original question)
These changes allowed me to successfully use the command gpg --card-status
in the remote machine but a new issue presents itself
Trying ssh-keygen -D /usr/lib/x86_64-linux-gnu/libykcs11.so
outputs
C_GetSlotList failed: 48
cannot read public key from pkcs11
And ykpamcfg -2 -v
still outputs Yubikey core error: no yubikey present