| 29 Jun 2023 |
 steveej | In reply to @oddlama:matrix.org
I presume you meant age-plugin-yubikey? pcscd is required for that since that plugin communicates with the smartcard in the yubikey directly. If by "using the ssh-agent" you mean a -sk type key, then openssh would do that communication. That would require age to communicate to the ssh-agent which is not supported:
man age says
Note that keys held on hardware tokens such as YubiKeys
or accessed via ssh-agent(1) are not supported.
it's an ssh-rsa type key as displayed by ssh-add -L. | 14:36:40 |
 oddlama | But it's just a keygrab if you have the private part on your yubikey | 14:37:18 |
| steveej | i've got gpg enabled via home-manager with the following settings
programs.gpg.enable = true;
services.gpg-agent = {
enable = true;
enableScDaemon = true;
enableSshSupport = true;
};
this is what makes my set up work
| 14:38:29 |
| steveej | SSH_AUTH_SOCK points to /run/user/1000/gnupg/S.gpg-agent.ssh | 14:39:12 |
| steveej | maybe the plugin could talk to the gpg-agent's scdaemon socket somehow? | 14:40:00 |
| oddlama | If you want to use both gpg and age-plugin-yubikey at the same time you have to disable scdaemon and force gpg to use pcsc lite too | 14:42:47 |
| steveej | i don't insist on using that plugin btw.. i just would like to use the yubikey instead of managing a private key on the filesystem | 14:42:57 |
| oddlama | I don't think there's an alternative to that plugin then | 14:43:12 |
| steveej | In reply to @oddlama:matrix.org
If you want to use both gpg and age-plugin-yubikey at the same time you have to disable scdaemon and force gpg to use pcsc lite too does the latter refer to options of the plugi, age, or agenix? | 14:44:26 |
| oddlama | Agenix has nothing to do with that. It just calls age or rage (implementations of the age spec) which can interface with the plugin https://github.com/str4d/age-plugin-yubikey | 14:46:12 |
| steveej | thanks oddlama. i'll read up on pcsclite | 14:56:06 |
| steveej | i'm surprised that i'm hitting so many corner cases. i would expect that a lot of people use the same set up as i do | 15:00:05 |
| oddlama | What type of corner cases exactly? :D | 15:14:45 |
| steveej | oddlama: well, it says "supports ssh keys". i'm using ssh on a daily basis, but my ssh config isn't supported 🤷 | 17:21:21 |
| steveej | oddlama: i'm trying your suggestion of "force gpg to use pcsc lite". i realize that i don't know what you mean by that. does it mean disabling gpg-agent's scdaemon, and somehow make it use an existing pcscd? | 18:46:10 |
| oddlama | Mostly scdaemonSettings.disable-ccid = true; | 20:16:07 |
| oddlama | So that it doesn't try to grab exclusive access to your yubikey | 20:16:38 |
| 30 Jun 2023 |
| steveej | thanks again oddlama. i've been reading more about how age-plugin-yubikey works and AFAIU it talks directly to the yubikey interacting with its PIV functionality. i've not set up any PIV key and i don't intend to. in order to reuse my existing GPG key with agenix it would need to support either using that directly or via the gpg binary. i think i'll try my luck with sops-nix first as that seems to support my setup | 07:06:42 |
 Ilan Joselevich (Kranzes) | I personally use age-plugin-yubikey | 21:39:16 |
| Ilan Joselevich (Kranzes) | I don't use GPG for anything thankfully | 21:39:27 |
| 2 Jul 2023 |
|  @duponin:alternativebit.fr left the room. | 20:23:42 |
|  Elian D. joined the room. | 21:41:04 |
| 6 Jul 2023 |
|  Lukas set a profile picture. | 12:31:54 |
| Lukas changed their profile picture. | 12:36:34 |
| Lukas changed their profile picture. | 12:42:33 |
| 8 Jul 2023 |
 Phobos | i don't know if this is how you're supposed to do this or if you're even supposed to use agenix for this, but i tried using agenix to manage my password files but now I got this error on boot, can anyone help? | 06:30:18 |
| Phobos | 
Download IMG_20230708_162707_054.jpg | 06:30:35 |
| Phobos | was it the wrong idea to use agenix for password files-- | 06:31:19 |
| Phobos | oh i got it working again, restored the passwordfile and rolled back a few generations | 07:50:36 |
 MartiniMoe | So I have
age.secrets.ssh_key = {
file = ./secrets/ssh_key.age;
path = "$HOME/.ssh/id_rsa";
};
In my config and was expecting to find my ssh key in ~/.ssh/id_rsa after nixos-rebuild switch but its not there and it threw no errors 🤔 Am I missing something?
| 14:27:01 |
