Created
December 13, 2017 11:06
-
-
Save rpardini/d5da6133f036c3f402c3373b967e608d to your computer and use it in GitHub Desktop.
Automated-ish setup of Yubikey for SSH logins (replace ssh-agent with gpg-agent from brew)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| set -e | |
| GPGCONF_PATH=$(which gpgconf) | |
| if [[ "$GPGCONF_PATH" != "/usr/local/bin/gpgconf" ]]; then | |
| echo "You don't have gnupg installed from brew, lets install it." | |
| brew install gnupg pinentry-mac ykpers | |
| else | |
| echo "GnuPG seems in the right place." | |
| fi | |
| PINENTRY_MAC_PATH=$(which pinentry-mac) | |
| if [[ "$PINENTRY_MAC_PATH" != "/usr/local/bin/pinentry-mac" ]]; then | |
| echo "You don't have pinentry installed from brew, lets install it." | |
| brew install gnupg pinentry-mac ykpers | |
| else | |
| echo "PinEntry-mac seems in the right place." | |
| fi | |
| YK_MAC_PATH=$(which ykinfo) | |
| if [[ "$YK_MAC_PATH" != "/usr/local/bin/ykinfo" ]]; then | |
| echo "You don't have ykpers installed from brew, lets install it." | |
| brew install gnupg pinentry-mac ykpers | |
| else | |
| echo "ykpers seems in the right place." | |
| fi | |
| echo "Checking Yubikey hardware (ykpers/ykinfo)..." | |
| ykinfo -a | |
| echo "Checking Yubikey data (via gpg --card-status)..." | |
| gpg --card-status | |
| echo "Checking csrutil status; you should see disabled. If not, disable it via Recovery." | |
| echo "---------------------------- check below -----------------------------------------" | |
| csrutil status | |
| echo "---------------------------- check above -----------------------------------------" | |
| cat << EOD | |
| If you see 'enabled' in the output above: | |
| 1) Boot into your Recovery OS (hold Cmd+R at boot) and run 'csrutil disable', then boot normally | |
| 2) Run this script again | |
| 3) Boot into your Recovery OS (hold Cmd+R at boot) and run 'csrutil enable', then boot normally | |
| Done. | |
| Press ENTER to continue or Ctrl-C to stop. | |
| EOD | |
| read | |
| cat << EOD | |
| I will need to sudo to disable ssh-agent from Apple. | |
| Please give me sudo password now, I will reuse it later. | |
| EOD | |
| sudo hostname -f | |
| echo "Starting setup..." | |
| mkdir -p $HOME/.gnupg | |
| echo "Writing $HOME/.gnupg/gpg-agent.conf" | |
| cat << EOD > $HOME/.gnupg/gpg-agent.conf | |
| pinentry-program /usr/local/bin/pinentry-mac | |
| enable-ssh-support | |
| default-cache-ttl 86400 | |
| max-cache-ttl 86400 | |
| EOD | |
| echo "Writing $HOME/Library/LaunchAgents/gpg.agent.daemon.plist" | |
| cat << 'EOD' > $HOME/Library/LaunchAgents/gpg.agent.daemon.plist | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>Label</key> | |
| <string>gpg.agent.daemon.plist</string> | |
| <key>ProgramArguments</key> | |
| <array> | |
| <string>/usr/local/bin/gpgconf</string> | |
| <string>--launch</string> | |
| <string>gpg-agent</string> | |
| </array> | |
| <key>RunAtLoad</key> | |
| <true/> | |
| </dict> | |
| </plist> | |
| EOD | |
| echo "Writing $HOME/Library/LaunchAgents/gpg.agent.setenv.plist" | |
| cat << 'EOD' > $HOME/Library/LaunchAgents/gpg.agent.setenv.plist | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>Label</key> | |
| <string>gpg.agent.setenv</string> | |
| <key>ProgramArguments</key> | |
| <array> | |
| <string>/bin/sh</string> | |
| <string>-c</string> | |
| <string>/bin/launchctl setenv SSH_AUTH_SOCK $HOME/.gnupg/S.gpg-agent.ssh</string> | |
| </array> | |
| <key>RunAtLoad</key> | |
| <true/> | |
| </dict> | |
| </plist> | |
| EOD | |
| echo "This was all very easy until now." | |
| echo "Now we have to have disabled Apple's ssh-agent which is under rootless 'System Integrity Protection'." | |
| echo "Some of the commands below will fail, its normal, but SIP should not be mentioned." | |
| launchctl unload /System/Library/LaunchAgents/com.openssh.ssh-agent.plist || true | |
| launchctl unload -w /System/Library/LaunchAgents/com.openssh.ssh-agent.plist || true | |
| sudo launchctl unload /System/Library/LaunchAgents/com.openssh.ssh-agent.plist || true | |
| sudo launchctl unload -w /System/Library/LaunchAgents/com.openssh.ssh-agent.plist || true | |
| sudo mv /System/Library/LaunchAgents/com.openssh.ssh-agent.plist /System/Library/LaunchAgents/com.openssh.ssh-agent.plist.bak || true | |
| echo "Now, if you correctly disabled SIP/rootless, just reboot and everything should work." | |
| echo "If SIP is still enabled, you still have SSH_AUTH_SOCK pointing to the wrong place." | |
| echo "Good luck!" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Nice! Check out my repo for a semi-automated setup: https://github.com/andsens/gpg-primer, maybe you can find some more inspiration for automation there :-)