gpg-agent: ssh support

Joachim Breitner mail at
Sat Jan 29 18:26:49 CET 2005

Hi Moritz, hi List,

good news, thanks so far.

I got a suggestion. Would it be possible to have gpg-agent encrypt the
ssh key with my gpg key instead of yet another password? This way, I
would not notice the difference between whether the gpg or the ssh key
is used, and I'd get some added value when using the openpgp-smartcards.


BTW: Today I hacked your poldi code to read the PIN from the login data
field from the card. I'll fix up the code and send you a patch maybe
tomorrow, but you might want to implement it differently, more cleanly
that is.

Am Freitag, den 28.01.2005, 21:02 +0100 schrieb Moritz Schulte:
> Hello folks,
> I have commited my changes, which add ssh-agent support to the
> gpg-agent, into GNUPG-1-9-BRANCH.  What this means: gpg-agent contains
> the new option `--ssh-support', which enables the ssh-agent emulation.
> From the manual:
>   In this mode of operation, the agent does not only implement the
>   gpg-agent protocol, but also the agent protocol used by OpenSSH
>   (through a seperate socket).  Consequently, it should possible to use
>   the gpg-agent as a drop-in replacement for the well known ssh-agent.
>   SSH Keys, which are to be used through the agent, need to be added to
>   the gpg-agent initially through the ssh-add utility.  When a key is
>   added, ssh-add will ask for the password of the provided key file and
>   send the unprotected key material to the agent; this causes the
>   gpg-agent to ask for a passphrase, which is to be used for encrypting
>   the newly received key and storing it in a gpg-agent specific
>   directory.
>   Once, a key has been added to the gpg-agent this way, the gpg-agent
>   will be ready to use the key.
>   Note: in case the gpg-agent receives a signature request, the user
>   might need to be prompted for a passphrase, which is necessary for
>   decrypting the stored key.  Since the ssh-agent protocol does not
>   contain a mechanism for telling the agent on which display/terminal it
>   is running, gpg-agent's --ssh-support switch implies --keep-display
>   and --keep-tty.  This strategy causes the gpg-agent to open a pinentry
>   on the display or on the terminal, on which it (the gpg-agent) was
>   started.
> Comments/feedback/bug reports are very welcome; happy hacking.
> Thanks,
> Moritz.
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at
Joachim Breitner
  e-Mail: mail at
  ICQ#: 74513189
Bitte senden Sie mir keine Word- oder PowerPoint-Anhänge.

More information about the Gnupg-devel mailing list