2014-09-27

Ubuntu 14 & OpenPGP smartcards: report from the war zone


Using smartcards on Ubuntu 14 is not a plug&play experience these days; not that it has ever been, and given the whimsically small amount of users this is to be expected.


This post/tutorial is split into different sections to ease readability and evidence ALL the different problems you will have to overcome to achieve a working setup.

Goal


The goal is to have a working gpg-agent integration that will provide signing/encryption for all your X11/terminal session applications, and that will act also as an SSH agent (the key feature here is gpg-agent's --enable-ssh-support).

Use-case examples:
  • Thunderbird + Enigmail
  • remote SSH authentication
  • X2Go sessions
  • any other use of gpg you can think of
In order to achieve this, we must be in control of how gpg-agent is started and make sure that no other agent is being started (most notably: gnome-keyring, ssh-agent, other rogue gpg-agent instances, you-name-it keyring).
Enjoy reading & hacking through this :)

1. First steps first: the reader


Let's install the necessary software:

apt-get install pcscd gnupg2

I had some issues at getting the reader recognized and available to my non-root user. I will skip instructions about to configure udev, as it is already described in the Howtos at FSFE and online everywhere; basically you have to produce correct rules for your device, and then a script that will be executed every time your device is plugged in. I suggest Gentoo's well-written udev wiki page as a start.

NOTE: you should change the ids in the udev rules to match those you can see in your dmesg.

When you have successfully configured your device via udev, you will be able to query the smartcard like this:
$ gpg --card-status
Application ID ...: **************
Version ..........: 2.0
Manufacturer .....: ************
Serial number ....: ************
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

This looks good! :)

If you have gone this far, congratulations! You're ready to fix the next mess...

You're feeling lucky

Your reader might be CCID-capable but not on the supported/should work lists; if you want to test if it works with pcscd you can manually add the name and ids (same as above step for udev rules) to:

/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist

This way pcscd will at least attempt to talk to the device; remember to contact pcscd author if it works and you would like to see this device added to those that are officially supported.

2. Broken systems are broken

There are bugs in Ubuntu/Gnome keyring that by default will make the GPG integration broken; derivatives like Mint are also affected.

This issue can be fixed by removing the damn Ubuntu-installed files and burning them with fire disabling GNOME keyring (at least until it's fixed/completed) with:
sudo rm /etc/xdg/autostart/gnome-keyring-gpg.desktop

In XFCE settings, in Session & Autostart the "Start Gnome services at startup" option should be disabled as well.

Disable the other 2 totally rogue gpg-agent and ssh-agent upstart services: 
echo manual | sudo tee /etc/init/gpg-agent.override
echo manual | sudo tee /etc/init/ssh-agent.override

Finally, disable the Xsession.d scripts that would normally auto-start ssh-agent:

sudo rm /etc/X11/Xsession.d/90ssh-agent

Depending on the desktop environment of your choice, there are countless other ways to autostart applications. Read their documentation and Make sure that no keyrings/agents are being automagically started.

XFCE, good boy


As per XFCE4 documentation, disable both gpg-agent and ssh-agent from being auto-started by xfce4-session:

xfconf-query -c xfce4-session -p /startup/gpg-agent/enabled -n -t bool -s false
xfconf-query -c xfce4-session -p /startup/ssh-agent/enabled -n -t bool -s false 


If no ssh-agent (and only 1 gpg-agent) is running at any time when you login to a new X session, then feel free to proceed to next step :)

Useless rant

Enabling autostart applications in any Linux desktop environment and not providing any easy GUI/CLI to change them is equivalent to producing an unmaintainable/unusable pile of hacks, but this is the average Linux desktop experience and we all know it by now :)

For hardcore users

If you are experiencing issues at individuating who is responsible of the startup of some gpg-agent, I suggest this radical approach:

sudo dpkg-divert --divert /usr/bin/gpg-agent.real --rename /usr/bin/gpg-agent

It's left to the reader as an exercise to create a gpg-agent script that will save the output of pstree somewhere, so that you can figure out what's going on :)

Remember to revert your change or use the correct binary name later on if you have applied this diversion.

3. Session mayhem


Modern login managers will ignore your ~.Xsession/~.xsession file; instructions here cover only LightDM/XFCE4, but suffice it to say that being able to start your X sessions via an .xsession file is enough to complete this integration setup.

Create /usr/share/xsessions/xsession.desktop:

[Desktop Entry]
Name=Xsession
Exec=/etc/X11/Xsession


Make it the default session in LightDM via /etc/lightdm/lightdm.conf:

[SeatDefaults]
user-session=Xsession

Create your ~/.xsession:


exec ck-launch-session dbus-launch --exit-with-session startxfce4

Restart lightdm (or the whole system, since not all processes will terminate with your session) and check that everything works as expected. If you cannot mount external devices, make sure you have policykit-desktop-privileges installed (go look here for another delicious bug about this).

Once you made yourself comfortable and everything is working as expected, we're ready to add the final chef touch to our setup.

4. Please wrap it


We are going to make sure that gpg-agent is a STARTUP prefix for our beloved X session, so that gpg-agent will correctly setup a bunch of other environment variables.

For reference, this is their list:
  • GPG_AGENT_INFO=/home/neagix/.gnupg/S.gpg-agent:17244:1
  • SSH_AUTH_SOCK=/home/neagix/.gnupg/S.gpg-agent.ssh
  • SSH_AGENT_PID=17244

Open your ~/.gnupg/gpg.conf and make sure that you have:

enable-ssh-support
use-standard-socket

At this point, reboot (or restart lightdm) and check that your setup worked by typing in any terminal emulator:

set | grep 'GPG\|SSH'

If you don't see the expected 3 environment variables, either you did something wrong or the distro gods have changed something (yes, this post will eventually become old as this mess is cleaned up & fixed upstream).

You can test that the correct gpg-agent is running by inspecting the command line:
xargs -0 < /proc/$(pgrep gpg-agent)/cmdline
Remember that options are read by default from ~/.gnupg/gpg-agent.conf.

And finally, enjoy your correctly-working gpg smartcard setup!

37 hours is the estimated amount of time that an average Ubuntu user would need to correctly complete this setup from scratch, nonetheless with the help of search engines. Hope this walk-through was of some help :)

Update 24 January 2015: gnupg2 package is in extra, not main. Thus one cannot expect it to be perfectly working.

No comments:

Post a Comment