further clarify SSH_AUTH_SOCK related stuff

vorburger · Sep 16, 2019 · d95c2f2 · d95c2f2
1 parent 3b28a94
commit d95c2f2
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 16 deletions.
diff --git a/README.md b/README.md
@@ -12,10 +12,36 @@
 
 NB: The `~/dev/vorburger-dotfiles-bin-etc/` path is currently hard-coded e.g. in `dotfiles/bashrc`.
 
-Edit ~/.ssh/config and list required hosts.  _(TODO test if that is actually really still needed...)_
 
+## `ssh` (incl. `git`) with YubiKey
 
-## Manual
+As e.g. per https://github.com/drduh/YubiKey-Guide#replace-agents, we need to appropriately set
+the `SSH_AUTH_SOCK` environment variable on the laptop (workstation) that we work on.  There are 2 ways
+to do this:  **EITHER** we set this on (only!!) the laptop in a `~/.bash.d/` (which [our `.bashrc`](dotfiles/bashrc)
+sources), so that **ALL** `ssh` and `git` invocations use this:
+
+    echo "export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)" > ~/.bash.d/SSH_AUTH_SOCK
+    echo 'alias t="ssh -A server.domain.tld"' > ~/.bash.d/alias-t
+
+**OR**, alternatively, e.g. if we use different SSH keys and/or agents, we directly set `SSH_AUTH_SOCK` only in some cases:
+
+    echo 'alias t="SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) ssh -A server.domain.tld"' > ~/.bash.d/alias-t
+    echo 'alias ggit="SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) git "' > ~/.bash.d/alias-ggit
+
+The `gpgconf --list-dirs agent-ssh-socket` will set `SSH_AUTH_SOCK` on (only!!) the *laptop* (*workstation*)
+to something like `/run/user/1000/gnupg/S.gpg-agent.ssh`.  On a (Fedora 30) *server* that we connect to, `ssh` will
+set `SSH_AUTH_SOCK` to something like `/tmp/ssh-mXzCzYT2Np/agent.7541` when we connect.  We therefore
+**CANNOT** set `SSH_AUTH_SOCK` in a [`.bashrc`](dotfiles/bashrc) which is shared on both the *laptop*
+(*workstation*) **and** the *server*!  (That would break SSH Agent forwarding.)
+
+In both of cases above, note and remember to use `ssh -A` to enable Agent Forwarding.
+We could alternatively use `ForwardAgent yes` in our `~/.ssh/config`, but as a security best practice,
+always *only for a SINGLE Hostname*_, never for all servers.
+
+BTW: `RemoteForward` in `~/.ssh/config` is not actually required (at least with Fedora 30).
+
+
+## Manual Settings
 
 ### GNOME
 

diff --git a/dotfiles/bashrc b/dotfiles/bashrc
@@ -22,10 +22,6 @@ export PATH
 
 # User specific aliases and functions should go into dotfiles/bash.d/ instead of being appended here!
 
-
-# FUCK NO, DONT EVER MANUALLY SET THE 'SSH_AUTH_SOCK' LIKE THIS EVER ANYMORE AGAIN...
-# Instead of enabling SSH Agent Forwarding for YubiKey via GPG, it *BREAKS* it!! :-((
-# At least on Fedora 30, it actually works just fine out of the box without this.
-### export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
-
 export EDITOR=nano
+
+# Do *NOT* set 'SSH_AUTH_SOCK' here; see README for details.
diff --git a/dotfiles/ssh-config b/dotfiles/ssh-config
diff --git a/symlink.sh b/symlink.sh
@@ -24,7 +24,6 @@ x .bash.d/ dotfiles/bash.d/
 l .zshrc dotfiles/zshrc
 l .gnupg/gpg.conf dotfiles/gpg.conf
 l .gnupg/gpg-agent.conf dotfiles/gpg-agent.conf
-l .ssh/config dotfiles/ssh-config
 l .gitconfig dotfiles/gitconfig
 
 # Don't symlink entire $ZSH_CUSTOM, as that will break ~/.oh-my-zsh/.git repo upgrades;