GnuPG Card with ssh authentication problems

Brady Young brady at
Sun Feb 27 04:06:43 CET 2011

So I've been trying to get my GnuPG card to work with ssh
authentication, but I can't seem to get it to work. As there are quite a
few success stories out there, I'm probably missing something, or doing 
something stupid, so I'd appreciate any pointers.

This is a largely underdocumented feature, which is one reason I'm
writing out all the steps here in one place.

First of all, my card has subkeys only on it, though there is a full
corresponding public key on my computer.

Also, I'm using:
gpg (GnuPG) 2.0.14
libgcrypt 1.4.4

Here are the steps I'm doing:

I start up gpg-agent like so:

$ eval `gpg-agent --enable-ssh-support --daemon`

..and check that my environment variables are pointed at the right PID,
and that ssh-agent is not running:

$ ps ax |egrep 'AGENT|SSH'
(they are..)

I edit my key, and make a subkey with the 'A' (authentication) flag:

$ gpg2 --expert --edit-key C3C297C1

Command> addkey

(toggle for authentication only)

Afterwards, I have a subkey and corresponding secret key that looks like
sub  1024R/3B70AC3E  created: 2011-02-26  expires: never       usage: A 
ssb  1024R/3B70AC3E  created: 2011-02-26  expires: never  

Next, I add the key to the card:

Command> toggle

Command> key x
(where x is the number corresponding to my secret auth subkey)

Command> keytocard

I verify that the key is indeed on the card:

$ gpg2 --card-status
Authentication key: 4B01 B8E3 F5FE 4B2F A295  710F E151 A452 3B70 AC3E

Finally, I attempt to add the key to gpg-agent. I read this 
should automatically detect the auth key on the card, adding it to
sshcontrol and such:

$ ssh-add -l
The agent has no identities.

This is where I get stuck, I think. My debug log clearly shows ssh-add
querying the card, with this output:

gpg-agent[29524]: ssh handler 0x1ebe840 for fd 7 started
gpg-agent[29524]: ssh request 1 is not supported
gpg-agent[29524]: ssh request handler for request_identities (11)
gpg-agent[29524]: new connection to SCdaemon established (reusing)

gpg-agent[29524]: no suitable card key found: No public key

gpg-agent[29524]: ssh request handler for request_identities (11) ready
gpg-agent[29524]: ssh handler 0x1ebe840 for fd 7 terminated

I'm thinking the problem may lay in this "No public key" error..

In any case, I undertsand the next step is to get the ssh-ified version
of the key, adding to to ~/.ssh/authorized_keys on the remote host:

$ gpgkey2ssh 3B70AC3E > file_to_upload

(file_to_upload is scp'd over to remote host in correct location..)
(I sohuld also note gpgkey2ssh is in dire need of documentation and
proper error handling.)

sshing into my host at this point, ssh fails to recognize I have a key
at all (although does attempt to send the empty ~/.ssh/id_dsa and id_rsa), 
and falls back to a password login.

My GnuPG card has been working fine with signing and encryption subkeys,
so I'm not suspecting a card communication error here..

Brady Young
<brady at>

More information about the Gnupg-users mailing list