| 29 Jun 2023 |
 steveej | would anyone mind explaining why the pcscd is needed for agenix-yubikey-plugin? i was hoping i could use the ssh-agent which is configured to use the yubikey | 14:22:53 |
| steveej | even after enabling the pcscd agenix-yubikey-plugin --list's output is empty 🤔 | 14:23:48 |
| steveej | * even after enabling the pcscd agenix-plugin-yubikey --list's output is empty 🤔 | 14:24:01 |
 oddlama | I presume you meant age-plugin-yubikey? pcscd is required for that since that plugin communicates with the smartcard in the yubikey directly. If by "using the ssh-agent" you mean a -sk type key, then openssh would do that communication. That would require age to communicate to the ssh-agent which is not supported:
man age says
Note that keys held on hardware tokens such as YubiKeys
or accessed via ssh-agent(1) are not supported.
| 14:30:26 |
| steveej | In reply to @oddlama:matrix.org
I presume you meant age-plugin-yubikey? pcscd is required for that since that plugin communicates with the smartcard in the yubikey directly. If by "using the ssh-agent" you mean a -sk type key, then openssh would do that communication. That would require age to communicate to the ssh-agent which is not supported:
man age says
Note that keys held on hardware tokens such as YubiKeys
or accessed via ssh-agent(1) are not supported.
it's an ssh-rsa type key as displayed by ssh-add -L. | 14:36:40 |
| oddlama | But it's just a keygrab if you have the private part on your yubikey | 14:37:18 |
| steveej | i've got gpg enabled via home-manager with the following settings
programs.gpg.enable = true;
services.gpg-agent = {
enable = true;
enableScDaemon = true;
enableSshSupport = true;
};
this is what makes my set up work
| 14:38:29 |
| steveej | SSH_AUTH_SOCK points to /run/user/1000/gnupg/S.gpg-agent.ssh | 14:39:12 |
| steveej | maybe the plugin could talk to the gpg-agent's scdaemon socket somehow? | 14:40:00 |
| oddlama | If you want to use both gpg and age-plugin-yubikey at the same time you have to disable scdaemon and force gpg to use pcsc lite too | 14:42:47 |
| steveej | i don't insist on using that plugin btw.. i just would like to use the yubikey instead of managing a private key on the filesystem | 14:42:57 |
| oddlama | I don't think there's an alternative to that plugin then | 14:43:12 |
| steveej | In reply to @oddlama:matrix.org
If you want to use both gpg and age-plugin-yubikey at the same time you have to disable scdaemon and force gpg to use pcsc lite too does the latter refer to options of the plugi, age, or agenix? | 14:44:26 |
| oddlama | Agenix has nothing to do with that. It just calls age or rage (implementations of the age spec) which can interface with the plugin https://github.com/str4d/age-plugin-yubikey | 14:46:12 |
| steveej | thanks oddlama. i'll read up on pcsclite | 14:56:06 |
| steveej | i'm surprised that i'm hitting so many corner cases. i would expect that a lot of people use the same set up as i do | 15:00:05 |
| oddlama | What type of corner cases exactly? :D | 15:14:45 |
| steveej | oddlama: well, it says "supports ssh keys". i'm using ssh on a daily basis, but my ssh config isn't supported 🤷 | 17:21:21 |
| steveej | oddlama: i'm trying your suggestion of "force gpg to use pcsc lite". i realize that i don't know what you mean by that. does it mean disabling gpg-agent's scdaemon, and somehow make it use an existing pcscd? | 18:46:10 |
| oddlama | Mostly scdaemonSettings.disable-ccid = true; | 20:16:07 |
| oddlama | So that it doesn't try to grab exclusive access to your yubikey | 20:16:38 |
| 30 Jun 2023 |
| steveej | thanks again oddlama. i've been reading more about how age-plugin-yubikey works and AFAIU it talks directly to the yubikey interacting with its PIV functionality. i've not set up any PIV key and i don't intend to. in order to reuse my existing GPG key with agenix it would need to support either using that directly or via the gpg binary. i think i'll try my luck with sops-nix first as that seems to support my setup | 07:06:42 |
 Ilan Joselevich (Kranzes) | I personally use age-plugin-yubikey | 21:39:16 |
| Ilan Joselevich (Kranzes) | I don't use GPG for anything thankfully | 21:39:27 |
| 2 Jul 2023 |
|  @duponin:alternativebit.fr left the room. | 20:23:42 |
|  Elian D. joined the room. | 21:41:04 |
| 6 Jul 2023 |
|  Lukas set a profile picture. | 12:31:54 |
| Lukas changed their profile picture. | 12:36:34 |
| Lukas changed their profile picture. | 12:42:33 |
| 8 Jul 2023 |
 Phobos | i don't know if this is how you're supposed to do this or if you're even supposed to use agenix for this, but i tried using agenix to manage my password files but now I got this error on boot, can anyone help? | 06:30:18 |
