GnuPG Card with ssh authentication problems

Grant Olson kgo at
Sun Feb 27 05:45:43 CET 2011

On 02/26/2011 10:06 PM, Brady Young wrote:
> In any case, I undertsand the next step is to get the ssh-ified version
> of the key, adding to to ~/.ssh/authorized_keys on the remote host:
> $ gpgkey2ssh 3B70AC3E > file_to_upload
> (file_to_upload is scp'd over to remote host in correct location..)
> (I sohuld also note gpgkey2ssh is in dire need of documentation and
> proper error handling.)

"ssh-add -L" does this a little better.  But yes, the more obscure
features in gpg get, the more obscure the documentation is. ;-)

> sshing into my host at this point, ssh fails to recognize I have a key
> at all (although does attempt to send the empty ~/.ssh/id_dsa and id_rsa), 
> and falls back to a password login.
> My GnuPG card has been working fine with signing and encryption subkeys,
> so I'm not suspecting a card communication error here..

You can check to see if gpg-agent knows about the key by checking the
contents of ~/.gnupg/private-keys-v1.d/.  If there's nothing there, the
key didn't make it into gpg-agent:

grant at johnyaya:~$ ls /home/grant/.gnupg/private-keys-v1.d/

Another thing that might help...

If gpg-agent is working properly, it'll also import your old keys like
~/.ssh/id_rsa, asking you for an old password, and then asking for a new
password to save, and generating a file under ~/.gnupg/private-keys-v1.d/.

So you could try creating normal ssh keys, adding those to your
authorized keys file normally, ssh'ing normally, without gpg-agent.  If
all that works, enable gpg-agent again and see if pinentry takes over
when you ssh to the box, and tries to import ~/,ssh/id_rsa.

That will at least let you know if it's gpg-agent or the card that's
giving you problems.


"Look around! Can you construct some sort of rudimentary lathe?"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 565 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110226/8615a21f/attachment-0001.pgp>

More information about the Gnupg-users mailing list