├── gpg-agent.conf ├── .gitignore ├── gpg-pin.png ├── gpg-admin.png ├── ccbysa_80x15.png ├── gpg-new-pin.png ├── gpg-new-admin.png ├── startup_applications.png ├── startup_apps_checked.png ├── startup_apps_unchecked.png ├── bashrc ├── smartcard-reset.txt ├── generate-web ├── README.md ├── Windows.md ├── macOS.md ├── gpg.conf ├── Linux.md └── LICENSE /gpg-agent.conf: -------------------------------------------------------------------------------- 1 | enable-ssh-support 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | index.html 2 | linux.html 3 | macOS.html 4 | windows.html 5 | -------------------------------------------------------------------------------- /gpg-pin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/herlo/ssh-gpg-smartcard-config/HEAD/gpg-pin.png -------------------------------------------------------------------------------- /gpg-admin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/herlo/ssh-gpg-smartcard-config/HEAD/gpg-admin.png -------------------------------------------------------------------------------- /ccbysa_80x15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/herlo/ssh-gpg-smartcard-config/HEAD/ccbysa_80x15.png -------------------------------------------------------------------------------- /gpg-new-pin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/herlo/ssh-gpg-smartcard-config/HEAD/gpg-new-pin.png -------------------------------------------------------------------------------- /gpg-new-admin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/herlo/ssh-gpg-smartcard-config/HEAD/gpg-new-admin.png -------------------------------------------------------------------------------- /startup_applications.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/herlo/ssh-gpg-smartcard-config/HEAD/startup_applications.png -------------------------------------------------------------------------------- /startup_apps_checked.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/herlo/ssh-gpg-smartcard-config/HEAD/startup_apps_checked.png -------------------------------------------------------------------------------- /startup_apps_unchecked.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/herlo/ssh-gpg-smartcard-config/HEAD/startup_apps_unchecked.png -------------------------------------------------------------------------------- /bashrc: -------------------------------------------------------------------------------- 1 | # .bashrc 2 | 3 | # Source global definitions 4 | if [ -f /etc/bashrc ]; then 5 | . /etc/bashrc 6 | fi 7 | 8 | # User specific aliases and functions 9 | 10 | # Start gpg-agent if it's not running 11 | if ! pidof gpg-agent > /dev/null; then 12 | gpg-agent --homedir $HOME/.gnupg --daemon --sh --enable-ssh-support > $HOME/.gnupg/env 13 | fi 14 | if [ -f "$HOME/.gnupg/env" ]; then 15 | source $HOME/.gnupg/env 16 | fi 17 | gpg-connect-agent updatestartuptty /bye > /dev/null 2>&1 18 | 19 | -------------------------------------------------------------------------------- /smartcard-reset.txt: -------------------------------------------------------------------------------- 1 | /hex 2 | scd serialno 3 | scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 4 | scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 5 | scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 6 | scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 7 | scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 8 | scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 9 | scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 10 | scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 11 | scd apdu 00 e6 00 00 12 | scd apdu 00 44 00 00 13 | /echo card has been reset to factory defaults 14 | /bye 15 | -------------------------------------------------------------------------------- /generate-web: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | pandoc README.md -f markdown -t html -s -o index.html 3 | perl -p -i -e 's|Linux.md|linux.html|g' index.html 4 | perl -p -i -e 's|macOS.md|macOS.html|g' index.html 5 | perl -p -i -e 's|Windows.md|windows.html|g' index.html 6 | pandoc Linux.md -f markdown -t html -s -o linux.html 7 | pandoc macOS.md -f markdown -t html -s -o macOS.html 8 | pandoc Windows.md -f markdown -t html -s -o windows.html 9 | scp *.html nb@linux:public_html/smartcard 10 | #scp *.png nb@linux:public_html/smartcard 11 | scp *.html root@nb.prgmr.com:/data/www/smartcard 12 | #scp *.png root@nb.prgmr.com:/data/www/smartcard 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | SSH authentication using a GPG smart card 2 | ========================================= 3 | 4 | To configure your system to use a GPG smart card for SSH authentication, 5 | visit the appropriate link below: 6 | 7 | - [Linux](Linux.md) 8 | - [macOS](macOS.md) 9 | - [Windows](Windows.md) 10 | 11 | The YubiKey 5 Series 12 | ----------------------------- 13 | 14 | - [YubiKey 5 Series](https://www.yubico.com/products/yubikey-5-overview/) 15 | 16 | The Gemalto USB Shell Token 17 | --------------------------- 18 | 19 | To obtain the the Gemalto USB Shell Token (v2) visit 20 | [](https://www.floss-shop.de/en/) 21 | 22 | Items needed: 23 | 24 | - [Gemalto USB Shell Token 25 | (v2)](https://www.floss-shop.de/en/security-privacy/smartcard-reader/3/gemalto-shell-token-black) 26 | - [OpenPGP SmartCard 27 | v3.3](https://www.floss-shop.de/en/security-privacy/smartcards/13/openpgp-smart-card-v3.3) 28 | 29 | [![image](ccbysa_80x15.png)](%60https://creativecommons.org/licenses/by-sa/4.0/%60) 30 | 31 | This work is licensed under a [Creative Commons Attribution-ShareAlike 32 | 4.0 International 33 | License](https://creativecommons.org/licenses/by-sa/4.0/). License text 34 | available in the [License](LICENSE) file. 35 | -------------------------------------------------------------------------------- /Windows.md: -------------------------------------------------------------------------------- 1 | SSH authentication using a GPG smart card on Windows 2 | =============================================================== 3 | 4 | The YubiKey 4 and YubiKey NEO support the OpenPGP interface for smart 5 | cards which can be used with GPG4Win for encryption and signing, as well 6 | as for SSH authentication. These in turn can be used by several other 7 | useful tools, like Git, pass, etc. This guide will help you set up the 8 | required software for getting things to work. 9 | 10 | GPG4Win 11 | ------- 12 | 13 | First things first. The core of everything is GPG4Win. Install the 14 | latest version. You will also need to autostart gpg-connect-agent.exe 15 | (which comes with GPG4Win) when your computer starts. You can do this by 16 | creating a shortcut to 17 | 18 | `"C:\Program Files (x86)\GNU\GnuPG\gpg-connect-agent.exe" /bye` 19 | 20 | and placing it in your Startup program group in your Start menu. 21 | Changing the Run: setting from Normal window to Minimized makes it 22 | slightly less obtrusive at login. 23 | 24 | If you haven't already, you will need to setup a PGP key on your NEO. 25 | 26 | GPG4Win's smart card support is not rock solid; occasionally you might 27 | get error messages when trying to access the YubiKey. It might happen 28 | after removing and re-inserting the YubiKey, or after your computer has 29 | been in sleep mode, etc. This can be resolved by restarting gpg-agent 30 | using the following commands: 31 | 32 | ``` 33 | gpg-connect-agent killagent /bye 34 | gpg-connect-agent /bye 35 | ``` 36 | 37 | You might want to put these commands in a BAT-file for quick access. 38 | 39 | Enable SSH authentication 40 | ------------------------- 41 | 42 | GPG4Win has support for SSH authentication built-in, which is compatible 43 | with the Pageant protocol used by PuTTY. By enabling this support 44 | GPG4Win can act as a drop-in replacement for Pageant. Enabling this is 45 | done by creating (or editing) the gpg-agent.conf file and adding the 46 | following line to it: 47 | 48 | `enable-putty-support` 49 | 50 | The file is found in the gnupg directory: %APPDATA%\gnupg (at least on 51 | Windows 10). The gpg-agent will need to be restarted (as described in 52 | the previous section) for this change to take effect. Once enabled, any 53 | application which supports SSH authentication using Pageant should 54 | "just work". 55 | 56 | PuTTY 57 | ----- 58 | 59 | If you've installed GPG4Win and enabled PuTTY support, then PuTTY should 60 | work out of the box. You can download and install PuTTY [here](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). 61 | -------------------------------------------------------------------------------- /macOS.md: -------------------------------------------------------------------------------- 1 | SSH authentication using a GPG smart card on macOS 2 | ================================================== 3 | 4 | This document doesn\'t go into setting up a GPG smartcard with keys, 5 | only how to setup the GPG smartcard agent. These instructions should 6 | work for Bash, ZSH, and any other POSIX compliant shell. 7 | 8 | Homebrew 9 | -------- 10 | 11 | These instructions use [Homebrew](https://brew.sh/) to install a few 12 | needed packages. Please reference their website to install it. 13 | 14 | Install packages 15 | ---------------- 16 | 17 | $ brew install gpg2 pidof pinentry-mac 18 | 19 | Homebrew\'s version of gpg2 will be located at `/usr/local/bin/gpg2`. 20 | 21 | `pidof` is used a script below to check if gpg-agent is running. You can 22 | use other methods to determine this but using `pidof` was the simplest. 23 | 24 | Create gpg.conf 25 | --------------- 26 | 27 | Edit the file `$HOME/.gnupg/gpg.conf` and copy paste the following into 28 | it: 29 | 30 | ask-cert-level 31 | use-agent 32 | keyserver keys.fedoraproject.org 33 | 34 | You can change keyserver to be any keyserver. The Fedora Project URL is 35 | used as an example. 36 | 37 | Create gpg-agent.conf 38 | --------------------- 39 | 40 | Edit the file `$HOME/.gnupg/gpg-agent.conf` and copy paste the following 41 | into it: 42 | 43 | pinentry-program /usr/local/bin/pinentry-mac 44 | enable-ssh-support 45 | default-cache-ttl 600 46 | max-cache-ttl 7200 47 | debug-level basic 48 | log-file $HOME/.gnupg/gpg-agent.log 49 | 50 | Directory Permissions 51 | --------------------- 52 | 53 | Make sure the .gnupg directory has the correct permissions: 54 | 55 | $ chmod -R og-rwx $HOME/.gnupg 56 | 57 | Setup Shell rc File 58 | ------------------- 59 | 60 | The following will work in both Bash and ZSH. 61 | 62 | Edit your `$HOME/.bashrc` or `$HOME/.zshrc` file and add the following 63 | at the bottom: 64 | 65 | # Start gpg-agent if it's not running 66 | if [ -z "$(pidof gpg-agent 2> /dev/null)" ]; then 67 | gpg-agent --homedir $HOME/.gnupg --daemon --sh --enable-ssh-support > $HOME/.gnupg/env 68 | fi 69 | 70 | # Import various environment variables from the agent. 71 | if [ -f "$HOME/.gnupg/env" ]; then 72 | source $HOME/.gnupg/env 73 | fi 74 | 75 | You can also put the above script in a separate file and source it into 76 | your rc file. Which ever works for you. 77 | 78 | Verify Correct Setup 79 | -------------------- 80 | 81 | Open a new shell session or source your shell\'s rc file and use 82 | `ssh-add` to verify everything is working: 83 | 84 | $ ssh-add -L 85 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJU3H3jjShU6o04lK......0yQrd1oR2nQ8qEQQ== cardno:000604227008 86 | 87 | Conclusion 88 | ---------- 89 | 90 | With this setup, the gpg-agent should be started on shell start if it\'s 91 | not already started. The SSH\_AUTH\_SOCK is set to the standard socket 92 | location to be used by ssh or anything else that wants to use GPG like 93 | git. 94 | -------------------------------------------------------------------------------- /gpg.conf: -------------------------------------------------------------------------------- 1 | # Options for GnuPG 2 | # Copyright 1998, 1999, 2000, 2001, 2002, 2003 Free Software Foundation, Inc. 3 | # 4 | # This file is free software; as a special exception the author gives 5 | # unlimited permission to copy and/or distribute it, with or without 6 | # modifications, as long as this notice is preserved. 7 | # 8 | # This file is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the 10 | # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 11 | # 12 | # Unless you specify which option file to use (with the command line 13 | # option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf 14 | # by default. 15 | # 16 | # An options file can contain any long options which are available in 17 | # GnuPG. If the first non white space character of a line is a '#', 18 | # this line is ignored. Empty lines are also ignored. 19 | # 20 | # See the man page for a list of options. 21 | 22 | # Uncomment the following option to get rid of the copyright notice 23 | 24 | #no-greeting 25 | 26 | # If you have more than 1 secret key in your keyring, you may want to 27 | # uncomment the following option and set your preferred keyid. 28 | 29 | #default-key 621CC013 30 | default-key 8A8F1D53 31 | 32 | 33 | # If you do not pass a recipient to gpg, it will ask for one. Using 34 | # this option you can encrypt to a default key. Key validation will 35 | # not be done in this case. The second form uses the default key as 36 | # default recipient. 37 | 38 | #default-recipient some-user-id 39 | #default-recipient-self 40 | 41 | # By default GnuPG creates version 3 signatures for data files. This 42 | # is not strictly OpenPGP compliant but PGP 6 and most versions of PGP 43 | # 7 require them. To disable this behavior, you may use this option 44 | # or --openpgp. 45 | 46 | #no-force-v3-sigs 47 | 48 | # Because some mailers change lines starting with "From " to ">From " 49 | # it is good to handle such lines in a special way when creating 50 | # cleartext signatures; all other PGP versions do it this way too. 51 | # To enable full OpenPGP compliance you may want to use this option. 52 | 53 | #no-escape-from-lines 54 | 55 | # If you do not use the Latin-1 (ISO-8859-1) charset, you should tell 56 | # GnuPG which is the native character set. Please check the man page 57 | # for supported character sets. This character set is only used for 58 | # metadata and not for the actual message which does not undergo any 59 | # translation. Note that future version of GnuPG will change to UTF-8 60 | # as default character set. In most cases this option is not required 61 | # GnuPG is able to figure out the correct charset and use that. 62 | 63 | #charset utf-8 64 | 65 | # Group names may be defined like this: 66 | # group mynames = paige 0x12345678 joe patti 67 | # 68 | # Any time "mynames" is a recipient (-r or --recipient), it will be 69 | # expanded to the names "paige", "joe", and "patti", and the key ID 70 | # "0x12345678". Note there is only one level of expansion - you 71 | # cannot make an group that points to another group. Note also that 72 | # if there are spaces in the recipient name, this will appear as two 73 | # recipients. In these cases it is better to use the key ID. 74 | 75 | #group mynames = paige 0x12345678 joe patti 76 | 77 | # Lock the file only once for the lifetime of a process. If you do 78 | # not define this, the lock will be obtained and released every time 79 | # it is needed, which is usually preferable. 80 | 81 | #lock-once 82 | 83 | # GnuPG can send and receive keys to and from a keyserver. These 84 | # servers can be HKP, email, or LDAP (if GnuPG is built with LDAP 85 | # support). 86 | # 87 | # Example HKP keyserver: 88 | # hkp://subkeys.pgp.net 89 | # 90 | # Example email keyserver: 91 | # mailto:pgp-public-keys@keys.pgp.net 92 | # 93 | # Example LDAP keyservers: 94 | # ldap://pgp.surfnet.nl:11370 95 | # ldap://keyserver.pgp.com 96 | # 97 | # Regular URL syntax applies, and you can set an alternate port 98 | # through the usual method: 99 | # hkp://keyserver.example.net:22742 100 | # 101 | # If you have problems connecting to a HKP server through a buggy http 102 | # proxy, you can use keyserver option broken-http-proxy (see below), 103 | # but first you should make sure that you have read the man page 104 | # regarding proxies (keyserver option honor-http-proxy) 105 | # 106 | # Most users just set the name and type of their preferred keyserver. 107 | # Note that most servers (with the notable exception of 108 | # ldap://keyserver.pgp.com) synchronize changes with each other. Note 109 | # also that a single server name may actually point to multiple 110 | # servers via DNS round-robin. hkp://subkeys.pgp.net is an example of 111 | # such a "server", which spreads the load over a number of physical 112 | # servers. 113 | 114 | keyserver hkp://subkeys.pgp.net 115 | #keyserver mailto:pgp-public-keys@keys.nl.pgp.net 116 | #keyserver ldap://pgp.surfnet.nl:11370 117 | #keyserver ldap://keyserver.pgp.com 118 | 119 | disable-ccid 120 | 121 | # Common options for keyserver functions: 122 | # 123 | # include-disabled = when searching, include keys marked as "disabled" 124 | # on the keyserver (not all keyservers support this). 125 | # 126 | # no-include-revoked = when searching, do not include keys marked as 127 | # "revoked" on the keyserver. 128 | # 129 | # verbose = show more information as the keys are fetched. 130 | # Can be used more than once to increase the amount 131 | # of information shown. 132 | # 133 | # use-temp-files = use temporary files instead of a pipe to talk to the 134 | # keyserver. Some platforms (Win32 for one) always 135 | # have this on. 136 | # 137 | # keep-temp-files = do not delete temporary files after using them 138 | # (really only useful for debugging) 139 | # 140 | # honor-http-proxy = if the keyserver uses HTTP, honor the http_proxy 141 | # environment variable 142 | # 143 | # broken-http-proxy = try to work around a buggy HTTP proxy 144 | # 145 | # auto-key-retrieve = automatically fetch keys as needed from the keyserver 146 | # when verifying signatures or when importing keys that 147 | # have been revoked by a revocation key that is not 148 | # present on the keyring. 149 | # 150 | # no-include-attributes = do not include attribute IDs (aka "photo IDs") 151 | # when sending keys to the keyserver. 152 | 153 | #keyserver-options auto-key-retrieve 154 | 155 | # Display photo user IDs in key listings 156 | 157 | # list-options show-photos 158 | 159 | # Display photo user IDs when a signature from a key with a photo is 160 | # verified 161 | 162 | # verify-options show-photos 163 | 164 | # Use this program to display photo user IDs 165 | # 166 | # %i is expanded to a temporary file that contains the photo. 167 | # %I is the same as %i, but the file isn't deleted afterwards by GnuPG. 168 | # %k is expanded to the key ID of the key. 169 | # %K is expanded to the long OpenPGP key ID of the key. 170 | # %t is expanded to the extension of the image (e.g. "jpg"). 171 | # %T is expanded to the MIME type of the image (e.g. "image/jpeg"). 172 | # %f is expanded to the fingerprint of the key. 173 | # %% is %, of course. 174 | # 175 | # If %i or %I are not present, then the photo is supplied to the 176 | # viewer on standard input. If your platform supports it, standard 177 | # input is the best way to do this as it avoids the time and effort in 178 | # generating and then cleaning up a secure temp file. 179 | # 180 | # The default program is "xloadimage -fork -quiet -title 'KeyID 0x%k' stdin" 181 | # On Mac OS X and Windows, the default is to use your regular JPEG image 182 | # viewer. 183 | # 184 | # Some other viewers: 185 | # photo-viewer "qiv %i" 186 | # photo-viewer "ee %i" 187 | # photo-viewer "display -title 'KeyID 0x%k'" 188 | # 189 | # This one saves a copy of the photo ID in your home directory: 190 | # photo-viewer "cat > ~/photoid-for-key-%k.%t" 191 | # 192 | # Use your MIME handler to view photos: 193 | # photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG" 194 | 195 | # Passphrase agent 196 | # 197 | # We support the old experimental passphrase agent protocol as well as 198 | # the new Assuan based one (currently available in the "newpg" package 199 | # at ftp.gnupg.org/gcrypt/alpha/aegypten/). To make use of the agent, 200 | # you have to run an agent as daemon and use the option 201 | # 202 | use-agent 203 | # 204 | # which tries to use the agent but will fallback to the regular mode 205 | # if there is a problem connecting to the agent. The normal way to 206 | # locate the agent is by looking at the environment variable 207 | # GPG_AGENT_INFO which should have been set during gpg-agent startup. 208 | # In certain situations the use of this variable is not possible, thus 209 | # the option 210 | # 211 | # --gpg-agent-info=::1 212 | # 213 | # may be used to override it. 214 | # gpg-agent-info /tmp/seahorse-E1O7KI/S.gpg-agent:1127:1 215 | -------------------------------------------------------------------------------- /Linux.md: -------------------------------------------------------------------------------- 1 | SSH authentication using a GPG smart card on Linux 2 | ================================================== 3 | 4 | This document covers the procedure for configurating a YubiKey as a GPG 5 | smartcard for SSH authentication. The benefit is a good model for [two-factor 6 | authentication](http://en.wikipedia.org/wiki/Two-factor_authentication), 7 | something you have and something you know. In this example, there is a 8 | token and a passphrase. 9 | 10 | The 11 | [YubiKey 5 Series](https://www.yubico.com/products/yubikey-5-overview/) 12 | is used here. The YubiKey 4 or YubiKey NEO will also work, although 13 | the YubiKey NEO is limited to 2048-bit RSA keys, and the YubiKey 4 does 14 | not support ECC keys. 15 | 16 | The same instructions should work on other GPG smart card 17 | implementations, although they were developed using the Yubikey 18 | implementation 19 | 20 | Examples below are using a Fedora 33 x86\_64 and Ubuntu 15.04 x86\_64 21 | fresh install. There are other tutorials for other operating systems and 22 | keys available online. See the CREDITS section below for alternate 23 | tutorials, examples, etc. 24 | 25 | Configuring Authentication with GNOME-Shell 26 | ------------------------------------------- 27 | 28 | To configure authentication using the previously generated GnuPG key, 29 | the GNOME-Shell needs some adjustments. With help from several 30 | resources, configure the system to allow `gpg-agent` to take over SSH 31 | authentication. 32 | 33 | Certain software must be installed, including utilities for the YubiKey 34 | `libyubikey` (`libyubikey-dev` on Ubuntu), `gnupg2` (which is probably 35 | already installed), and `gnupg2-smime` (`gpgsm` on Ubuntu). 36 | 37 | *Fedora*: 38 | 39 | sudo dnf install ykpers libyubikey gnupg gnupg2-smime 40 | 41 | *Ubuntu*: 42 | 43 | sudo apt-get install gnupg-agent gnupg2 pinentry-gtk2 scdaemon \ 44 | libccid pcscd libpcsclite1 gpgsm yubikey-personalization \ 45 | libyubikey-dev libykpers-1-dev 46 | 47 | **Optional**: Install the [YubiKey NEO Manager 48 | GUI](https://developers.yubico.com/yubikey-neo-manager/). If running 49 | Ubuntu, you can install the YubiKey NEO manager and other YubiKey 50 | software from the [Yubico 51 | PPA](https://launchpad.net/~yubico/+archive/ubuntu/stable). 52 | 53 | Enable your YubiKey's Smartcard interface (CCID) 54 | ------------------------------------------------ 55 | 56 | This will enable the smartcard portion of your YubiKey:: This is only 57 | required for the YubiKey NEO. 58 | 59 | ykpersonalize -m82 60 | 61 | If you have a dev key, Reboot your YubiKey (remove and reinsert) so that 62 | ykneomgr works. 63 | 64 | ### Configure GNOME-Shell to use gpg-agent and disable ssh-agent 65 | 66 | Turn off ssh-agent inside gnome-keyring-daemon. 67 | 68 | For Fedora this can be achieved by creating a new file 69 | /etc/X11/xinit/Xclients.d/Xclients.gnome-session.sh or appending to the 70 | existing one. Add the following code portion: 71 | 72 | if [[ $(gconftool-2 --get /apps/gnome-keyring/daemon-components/ssh) != "false" ]]; then 73 | gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh false 74 | fi 75 | 76 | Configure GPG to use its agent (only for smartcard): 77 | 78 | echo "use-agent" >> ~/.gnupg/gpg.conf 79 | 80 | Enable ssh-agent drop in replacement support for gpg-agent: 81 | 82 | echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf 83 | 84 | Disable pcscd to avoid conflicting with GPG/scdaemon's built in CCID: 85 | 86 | systemctl disable pcscd.socket --now 87 | systemctl disable pcscd.service --now 88 | systemctl mask pcscd.socket 89 | systemctl mask pcscd.service 90 | 91 | Allow admin actions on your YubiKey (if your gnupg version is \< 92 | 2.0.11): 93 | 94 | echo "allow-admin" >> ~/.gnupg/scdaemon.conf 95 | 96 | #### Intercept gnome-keyring-daemon and put gpg-agent in place for ssh authentication (Ubuntu) 97 | 98 | Open Startup Applications 99 | 100 | Uncheck \"GPG Password Agent\" and \"SSH Key Agent\" 101 | 102 | ![Startup Apps](startup_apps_checked.png) 103 | 104 | Edit `/usr/share/upstart/sessions/gpg-agent.conf` so that the pre-start 105 | script contains the following: 106 | 107 | eval "$(gpg-agent --daemon --enable-ssh-support --sh)" >/dev/null 108 | initctl set-env --global GPG_AGENT_INFO=$GPG_AGENT_INFO 109 | initctl set-env --global SSH_AUTH_SOCK=$SSH_AUTH_SOCK 110 | initctl set-env --global SSH_AGENT_PID=$SSH_AGENT_PID 111 | 112 | Add the following lines to the post-stop script section: 113 | 114 | initctl unset-env --global SSH_AUTH_SOCK 115 | initctl unset-env --global SSH_AGENT_PID 116 | 117 | Disable the other system gpg-agent: 118 | 119 | mv /etc/X11/Xsession.d/90gpg-agent ~/bak/90gpg-agent 120 | 121 | Note: We could have used the Xsession gpg-agent and trashed the upstart 122 | one, but there is an [open bug 123 | report](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642021) for 124 | 90gpg-agent. Also, the upstart script has the capability of exporting 125 | the environment variables globally with initctl set-env \--global. 126 | 127 | #### Intercept gnome-keyring-daemon and put gpg-agent in place for ssh authentication (Fedora) 128 | 129 | If running gnome, this problem may be solved by running the following to 130 | disable gnome-keyring from autostarting its broken gpg-agent and 131 | ssh-agent implementation: 132 | 133 | mv /etc/xdg/autostart/gnome-keyring-gpg.desktop /etc/xdg/autostart/gnome-keyring-gpg.desktop.inactive 134 | 135 | mv /etc/xdg/autostart/gnome-keyring-ssh.desktop /etc/xdg/autostart/gnome-keyring-ssh.desktop.inactive 136 | 137 | Next, place the following in `~/.bashrc` to ensure gpg-agent starts with 138 | `--enable-ssh-support` : 139 | 140 | # Start gpg-agent if it's not running 141 | if ! pidof gpg-agent > /dev/null; then 142 | gpg-agent --homedir $HOME/.gnupg --daemon --sh --enable-ssh-support > $HOME/.gnupg/env 143 | fi 144 | if [ -f "$HOME/.gnupg/env" ]; then 145 | source $HOME/.gnupg/env 146 | fi 147 | gpg-connect-agent updatestartuptty /bye > /dev/null 2>&1 148 | 149 | Now go to next step (Reload GNOME-Shell) :) 150 | 151 | Reload GNOME-Shell So that the gpg-agent stuff above takes effect. 152 | ------------------------------------------------------------------ 153 | 154 | Rebooting the machine works the best. After reboot, make sure that the 155 | output of the following command is false: 156 | 157 | gconftool-2 --get /apps/gnome-keyring/daemon-components/ssh 158 | 159 | Setting PINs 160 | ------------ 161 | 162 | There is a regular PIN, which is used to unlock the token for Signing, 163 | Encryption or Authentication. Additionally, there is an admin PIN, which 164 | is used to reset the PIN and/or the Reset Code for the key itself. 165 | 166 | ### Complete these steps for PIN and then Admin Pin 167 | 168 | default pins are 123456 and 12345678 respectivly 169 | 170 | gpg2 --card-edit 171 | ..snip.. 172 | 173 | gpg/card> admin 174 | Admin commands are allowed 175 | 176 | gpg/card> passwd 177 | gpg: OpenPGP card no. D27600012401020000050000158A0000 detected 178 | 179 | 1 - change PIN 180 | 2 - unblock PIN 181 | 3 - change Admin PIN 182 | 4 - set the Reset Code 183 | Q - quit 184 | 185 | Your selection? 3 186 | 187 | Enter the Current Admin PIN 188 | 189 | ![current admin PIN](gpg-admin.png) 190 | 191 | Then enter the New Admin PIN twice 192 | 193 | ![new admin PIN](gpg-new-admin.png) 194 | 195 | ### PIN 196 | 197 | 1 - change PIN 198 | 2 - unblock PIN 199 | 3 - change Admin PIN 200 | 4 - set the Reset Code 201 | Q - quit 202 | 203 | Your selection? 1 204 | 205 | Enter the Current PIN 206 | 207 | ![current PIN](gpg-pin.png) 208 | 209 | Then enter the New PIN twice 210 | 211 | ![new PIN](gpg-new-pin.png) 212 | 213 | **NOTE:** If the Admin PIN has not been entered, it may be required 214 | before changes are applied. 215 | 216 | Generating an SSH Key using GnuPG 217 | --------------------------------- 218 | 219 | There are several ways to generate an SSH Key using GnuPG. A common way 220 | is to link the new authentication key to an already existing key: 221 | 222 | gpg2 --edit-key 8A8F1D53 223 | gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. 224 | This is free software: you are free to change and redistribute it. 225 | There is NO WARRANTY, to the extent permitted by law. 226 | 227 | Secret key is available. 228 | 229 | pub 3072R/8A8F1D53 created: 2012-10-06 expires: never usage: SC 230 | trust: ultimate validity: ultimate 231 | sub 3072R/2F15E06B created: 2012-11-23 expires: 2022-11-21 usage: S 232 | sub 3072R/EB8B4EBD created: 2012-11-24 expires: 2022-11-22 usage: E 233 | sub 3072R/6BB325E9 created: 2012-11-24 expires: 2022-11-22 usage: A 234 | [ultimate] (1). Clint Savage 235 | [ultimate] (2) Clint Savage 236 | [ultimate] (3) Clint Savage 237 | 238 | gpg> 239 | 240 | Once in the `edit-key` dialog, create a key on the card: 241 | 242 | gpg> addcardkey 243 | Signature key ....: 91BC 60CC B9EC 8E73 923A FC6D 58CD 88A6 2F15 E06B 244 | Encryption key....: 0CC3 DC3E 0D17 6111 A62B F656 63C6 4DA9 EB8B 4EBD 245 | Authentication key: 9EBF A9FE 8AE1 0FEB 1699 CE9A 779F 43D5 EC6F CC13 246 | 247 | Please select the type of key to generate: 248 | (1) Signature key 249 | (2) Encryption key 250 | (3) Authentication key 251 | Your selection? 3 252 | 253 | IT WILL PROMPT YOU TO ENTER THE ADMIN PIN, AND THEN THE REGULAR PIN. Don't fat finger this part! 254 | 255 | gpg: WARNING: such a key has already been stored on the card! 256 | 257 | Replace existing key? (y/N) y 258 | What keysize do you want for the Authentication key? (3072) 259 | Key is protected. 260 | 261 | You need a passphrase to unlock the secret key for 262 | user: "Clint Savage " 263 | 3072-bit RSA key, ID 8A8F1D53, created 2012-10-06 264 | 265 | Please specify how long the key should be valid. 266 | 0 = key does not expire 267 | = key expires in n days 268 | w = key expires in n weeks 269 | m = key expires in n months 270 | y = key expires in n years 271 | Key is valid for? (0) 10y 272 | Key expires at Mon 21 Nov 2022 05:29:00 PM MST 273 | Is this correct? (y/N) y 274 | Really create? (y/N) y 275 | gpg: Note that the key does not use the suggested creation date 276 | 277 | pub 3072R/8A8F1D53 created: 2012-10-06 expires: never usage: SC 278 | trust: ultimate validity: ultimate 279 | sub 3072R/2F15E06B created: 2012-11-23 expires: 2022-11-21 usage: S 280 | sub 3072R/EB8B4EBD created: 2012-11-24 expires: 2022-11-22 usage: E 281 | sub 3072R/6BB325E9 created: 2012-11-24 expires: 2022-11-22 usage: A 282 | 283 | [ultimate] (1). Clint Savage 284 | [ultimate] (2) Clint Savage 285 | [ultimate] (3) Clint Savage 286 | 287 | Upon completion of the key, be sure to save the record to the card and 288 | gpg key: 289 | 290 | gpg> save 291 | 292 | 293 | Verify SSH key is managed via gpg-agent 294 | --------------------------------------- 295 | 296 | Assuming everything above is configured correctly, a simple test is 297 | performed with the SmartCard inserted: 298 | 299 | ssh-add -L 300 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDL/XmU......BL0luE= cardno:00050000158A 301 | 302 | FILES 303 | ----- 304 | 305 | [The github 306 | repository](https://github.com/herlo/ssh-gpg-smartcard-config/) contains 307 | all the files to make the changes above. Please feel free to read 308 | through them. 309 | 310 | CREDITS 311 | ------- 312 | 313 | A special thanks to the following people and/or links. 314 | 315 | > - [How to use GPG with SSH (with smartcard 316 | > section)](http://www.programmierecke.net/howto/gpg-ssh.html) 317 | > - [The GnuPG Smartcard HOWTO (Advanced 318 | > Features)](http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html#id2507402) 319 | > - [Smart Cards and Secret 320 | > Agents](http://blog.flameeyes.eu/2010/08/smart-cards-and-secret-agents) 321 | > - [How to mitigate issues between gnupg and gnome keyring 322 | > manager](http://wiki.gnupg.org/GnomeKeyring) 323 | > - [Useful info on how to start the correct agent at 324 | > login](http://www.bootc.net/archives/2013/06/09/my-perfect-gnupg-ssh-agent-setup/) 325 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Attribution-ShareAlike 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution-ShareAlike 4.0 International Public 58 | License 59 | 60 | By exercising the Licensed Rights (defined below), You accept and agree 61 | to be bound by the terms and conditions of this Creative Commons 62 | Attribution-ShareAlike 4.0 International Public License ("Public 63 | License"). To the extent this Public License may be interpreted as a 64 | contract, You are granted the Licensed Rights in consideration of Your 65 | acceptance of these terms and conditions, and the Licensor grants You 66 | such rights in consideration of benefits the Licensor receives from 67 | making the Licensed Material available under these terms and 68 | conditions. 69 | 70 | 71 | Section 1 -- Definitions. 72 | 73 | a. Adapted Material means material subject to Copyright and Similar 74 | Rights that is derived from or based upon the Licensed Material 75 | and in which the Licensed Material is translated, altered, 76 | arranged, transformed, or otherwise modified in a manner requiring 77 | permission under the Copyright and Similar Rights held by the 78 | Licensor. For purposes of this Public License, where the Licensed 79 | Material is a musical work, performance, or sound recording, 80 | Adapted Material is always produced where the Licensed Material is 81 | synched in timed relation with a moving image. 82 | 83 | b. Adapter's License means the license You apply to Your Copyright 84 | and Similar Rights in Your contributions to Adapted Material in 85 | accordance with the terms and conditions of this Public License. 86 | 87 | c. BY-SA Compatible License means a license listed at 88 | creativecommons.org/compatiblelicenses, approved by Creative 89 | Commons as essentially the equivalent of this Public License. 90 | 91 | d. Copyright and Similar Rights means copyright and/or similar rights 92 | closely related to copyright including, without limitation, 93 | performance, broadcast, sound recording, and Sui Generis Database 94 | Rights, without regard to how the rights are labeled or 95 | categorized. For purposes of this Public License, the rights 96 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 97 | Rights. 98 | 99 | e. Effective Technological Measures means those measures that, in the 100 | absence of proper authority, may not be circumvented under laws 101 | fulfilling obligations under Article 11 of the WIPO Copyright 102 | Treaty adopted on December 20, 1996, and/or similar international 103 | agreements. 104 | 105 | f. Exceptions and Limitations means fair use, fair dealing, and/or 106 | any other exception or limitation to Copyright and Similar Rights 107 | that applies to Your use of the Licensed Material. 108 | 109 | g. License Elements means the license attributes listed in the name 110 | of a Creative Commons Public License. The License Elements of this 111 | Public License are Attribution and ShareAlike. 112 | 113 | h. Licensed Material means the artistic or literary work, database, 114 | or other material to which the Licensor applied this Public 115 | License. 116 | 117 | i. Licensed Rights means the rights granted to You subject to the 118 | terms and conditions of this Public License, which are limited to 119 | all Copyright and Similar Rights that apply to Your use of the 120 | Licensed Material and that the Licensor has authority to license. 121 | 122 | j. Licensor means the individual(s) or entity(ies) granting rights 123 | under this Public License. 124 | 125 | k. Share means to provide material to the public by any means or 126 | process that requires permission under the Licensed Rights, such 127 | as reproduction, public display, public performance, distribution, 128 | dissemination, communication, or importation, and to make material 129 | available to the public including in ways that members of the 130 | public may access the material from a place and at a time 131 | individually chosen by them. 132 | 133 | l. Sui Generis Database Rights means rights other than copyright 134 | resulting from Directive 96/9/EC of the European Parliament and of 135 | the Council of 11 March 1996 on the legal protection of databases, 136 | as amended and/or succeeded, as well as other essentially 137 | equivalent rights anywhere in the world. 138 | 139 | m. You means the individual or entity exercising the Licensed Rights 140 | under this Public License. Your has a corresponding meaning. 141 | 142 | 143 | Section 2 -- Scope. 144 | 145 | a. License grant. 146 | 147 | 1. Subject to the terms and conditions of this Public License, 148 | the Licensor hereby grants You a worldwide, royalty-free, 149 | non-sublicensable, non-exclusive, irrevocable license to 150 | exercise the Licensed Rights in the Licensed Material to: 151 | 152 | a. reproduce and Share the Licensed Material, in whole or 153 | in part; and 154 | 155 | b. produce, reproduce, and Share Adapted Material. 156 | 157 | 2. Exceptions and Limitations. For the avoidance of doubt, where 158 | Exceptions and Limitations apply to Your use, this Public 159 | License does not apply, and You do not need to comply with 160 | its terms and conditions. 161 | 162 | 3. Term. The term of this Public License is specified in Section 163 | 6(a). 164 | 165 | 4. Media and formats; technical modifications allowed. The 166 | Licensor authorizes You to exercise the Licensed Rights in 167 | all media and formats whether now known or hereafter created, 168 | and to make technical modifications necessary to do so. The 169 | Licensor waives and/or agrees not to assert any right or 170 | authority to forbid You from making technical modifications 171 | necessary to exercise the Licensed Rights, including 172 | technical modifications necessary to circumvent Effective 173 | Technological Measures. For purposes of this Public License, 174 | simply making modifications authorized by this Section 2(a) 175 | (4) never produces Adapted Material. 176 | 177 | 5. Downstream recipients. 178 | 179 | a. Offer from the Licensor -- Licensed Material. Every 180 | recipient of the Licensed Material automatically 181 | receives an offer from the Licensor to exercise the 182 | Licensed Rights under the terms and conditions of this 183 | Public License. 184 | 185 | b. Additional offer from the Licensor -- Adapted Material. 186 | Every recipient of Adapted Material from You 187 | automatically receives an offer from the Licensor to 188 | exercise the Licensed Rights in the Adapted Material 189 | under the conditions of the Adapter's License You apply. 190 | 191 | c. No downstream restrictions. You may not offer or impose 192 | any additional or different terms or conditions on, or 193 | apply any Effective Technological Measures to, the 194 | Licensed Material if doing so restricts exercise of the 195 | Licensed Rights by any recipient of the Licensed 196 | Material. 197 | 198 | 6. No endorsement. Nothing in this Public License constitutes or 199 | may be construed as permission to assert or imply that You 200 | are, or that Your use of the Licensed Material is, connected 201 | with, or sponsored, endorsed, or granted official status by, 202 | the Licensor or others designated to receive attribution as 203 | provided in Section 3(a)(1)(A)(i). 204 | 205 | b. Other rights. 206 | 207 | 1. Moral rights, such as the right of integrity, are not 208 | licensed under this Public License, nor are publicity, 209 | privacy, and/or other similar personality rights; however, to 210 | the extent possible, the Licensor waives and/or agrees not to 211 | assert any such rights held by the Licensor to the limited 212 | extent necessary to allow You to exercise the Licensed 213 | Rights, but not otherwise. 214 | 215 | 2. Patent and trademark rights are not licensed under this 216 | Public License. 217 | 218 | 3. To the extent possible, the Licensor waives any right to 219 | collect royalties from You for the exercise of the Licensed 220 | Rights, whether directly or through a collecting society 221 | under any voluntary or waivable statutory or compulsory 222 | licensing scheme. In all other cases the Licensor expressly 223 | reserves any right to collect such royalties. 224 | 225 | 226 | Section 3 -- License Conditions. 227 | 228 | Your exercise of the Licensed Rights is expressly made subject to the 229 | following conditions. 230 | 231 | a. Attribution. 232 | 233 | 1. If You Share the Licensed Material (including in modified 234 | form), You must: 235 | 236 | a. retain the following if it is supplied by the Licensor 237 | with the Licensed Material: 238 | 239 | i. identification of the creator(s) of the Licensed 240 | Material and any others designated to receive 241 | attribution, in any reasonable manner requested by 242 | the Licensor (including by pseudonym if 243 | designated); 244 | 245 | ii. a copyright notice; 246 | 247 | iii. a notice that refers to this Public License; 248 | 249 | iv. a notice that refers to the disclaimer of 250 | warranties; 251 | 252 | v. a URI or hyperlink to the Licensed Material to the 253 | extent reasonably practicable; 254 | 255 | b. indicate if You modified the Licensed Material and 256 | retain an indication of any previous modifications; and 257 | 258 | c. indicate the Licensed Material is licensed under this 259 | Public License, and include the text of, or the URI or 260 | hyperlink to, this Public License. 261 | 262 | 2. You may satisfy the conditions in Section 3(a)(1) in any 263 | reasonable manner based on the medium, means, and context in 264 | which You Share the Licensed Material. For example, it may be 265 | reasonable to satisfy the conditions by providing a URI or 266 | hyperlink to a resource that includes the required 267 | information. 268 | 269 | 3. If requested by the Licensor, You must remove any of the 270 | information required by Section 3(a)(1)(A) to the extent 271 | reasonably practicable. 272 | 273 | b. ShareAlike. 274 | 275 | In addition to the conditions in Section 3(a), if You Share 276 | Adapted Material You produce, the following conditions also apply. 277 | 278 | 1. The Adapter's License You apply must be a Creative Commons 279 | license with the same License Elements, this version or 280 | later, or a BY-SA Compatible License. 281 | 282 | 2. You must include the text of, or the URI or hyperlink to, the 283 | Adapter's License You apply. You may satisfy this condition 284 | in any reasonable manner based on the medium, means, and 285 | context in which You Share Adapted Material. 286 | 287 | 3. You may not offer or impose any additional or different terms 288 | or conditions on, or apply any Effective Technological 289 | Measures to, Adapted Material that restrict exercise of the 290 | rights granted under the Adapter's License You apply. 291 | 292 | 293 | Section 4 -- Sui Generis Database Rights. 294 | 295 | Where the Licensed Rights include Sui Generis Database Rights that 296 | apply to Your use of the Licensed Material: 297 | 298 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 299 | to extract, reuse, reproduce, and Share all or a substantial 300 | portion of the contents of the database; 301 | 302 | b. if You include all or a substantial portion of the database 303 | contents in a database in which You have Sui Generis Database 304 | Rights, then the database in which You have Sui Generis Database 305 | Rights (but not its individual contents) is Adapted Material, 306 | 307 | including for purposes of Section 3(b); and 308 | c. You must comply with the conditions in Section 3(a) if You Share 309 | all or a substantial portion of the contents of the database. 310 | 311 | For the avoidance of doubt, this Section 4 supplements and does not 312 | replace Your obligations under this Public License where the Licensed 313 | Rights include other Copyright and Similar Rights. 314 | 315 | 316 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 317 | 318 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 319 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 320 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 321 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 322 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 323 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 324 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 325 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 326 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 327 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 328 | 329 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 330 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 331 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 332 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 333 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 334 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 335 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 336 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 337 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 338 | 339 | c. The disclaimer of warranties and limitation of liability provided 340 | above shall be interpreted in a manner that, to the extent 341 | possible, most closely approximates an absolute disclaimer and 342 | waiver of all liability. 343 | 344 | 345 | Section 6 -- Term and Termination. 346 | 347 | a. This Public License applies for the term of the Copyright and 348 | Similar Rights licensed here. However, if You fail to comply with 349 | this Public License, then Your rights under this Public License 350 | terminate automatically. 351 | 352 | b. Where Your right to use the Licensed Material has terminated under 353 | Section 6(a), it reinstates: 354 | 355 | 1. automatically as of the date the violation is cured, provided 356 | it is cured within 30 days of Your discovery of the 357 | violation; or 358 | 359 | 2. upon express reinstatement by the Licensor. 360 | 361 | For the avoidance of doubt, this Section 6(b) does not affect any 362 | right the Licensor may have to seek remedies for Your violations 363 | of this Public License. 364 | 365 | c. For the avoidance of doubt, the Licensor may also offer the 366 | Licensed Material under separate terms or conditions or stop 367 | distributing the Licensed Material at any time; however, doing so 368 | will not terminate this Public License. 369 | 370 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 371 | License. 372 | 373 | 374 | Section 7 -- Other Terms and Conditions. 375 | 376 | a. The Licensor shall not be bound by any additional or different 377 | terms or conditions communicated by You unless expressly agreed. 378 | 379 | b. Any arrangements, understandings, or agreements regarding the 380 | Licensed Material not stated herein are separate from and 381 | independent of the terms and conditions of this Public License. 382 | 383 | 384 | Section 8 -- Interpretation. 385 | 386 | a. For the avoidance of doubt, this Public License does not, and 387 | shall not be interpreted to, reduce, limit, restrict, or impose 388 | conditions on any use of the Licensed Material that could lawfully 389 | be made without permission under this Public License. 390 | 391 | b. To the extent possible, if any provision of this Public License is 392 | deemed unenforceable, it shall be automatically reformed to the 393 | minimum extent necessary to make it enforceable. If the provision 394 | cannot be reformed, it shall be severed from this Public License 395 | without affecting the enforceability of the remaining terms and 396 | conditions. 397 | 398 | c. No term or condition of this Public License will be waived and no 399 | failure to comply consented to unless expressly agreed to by the 400 | Licensor. 401 | 402 | d. Nothing in this Public License constitutes or may be interpreted 403 | as a limitation upon, or waiver of, any privileges and immunities 404 | that apply to the Licensor or You, including from the legal 405 | processes of any jurisdiction or authority. 406 | 407 | 408 | ======================================================================= 409 | 410 | Creative Commons is not a party to its public 411 | licenses. Notwithstanding, Creative Commons may elect to apply one of 412 | its public licenses to material it publishes and in those instances 413 | will be considered the “Licensor.” The text of the Creative Commons 414 | public licenses is dedicated to the public domain under the CC0 Public 415 | Domain Dedication. Except for the limited purpose of indicating that 416 | material is shared under a Creative Commons public license or as 417 | otherwise permitted by the Creative Commons policies published at 418 | creativecommons.org/policies, Creative Commons does not authorize the 419 | use of the trademark "Creative Commons" or any other trademark or logo 420 | of Creative Commons without its prior written consent including, 421 | without limitation, in connection with any unauthorized modifications 422 | to any of its public licenses or any other arrangements, 423 | understandings, or agreements concerning use of licensed material. For 424 | the avoidance of doubt, this paragraph does not form part of the 425 | public licenses. 426 | 427 | Creative Commons may be contacted at creativecommons.org. 428 | --------------------------------------------------------------------------------