GPG key to authenticate to SSH?
wk at gnupg.org
Mon Jul 23 10:01:25 CEST 2012
On Sun, 22 Jul 2012 21:52, jeroen at budts.be said:
> --enable-ssh-support option and the gpgkey2ssh script.
You don't need gpgkey2ssh - it is a relict form the early days.
gpg-agent supports the ssh-agent protocol for 7 years now.
> Is it somehow possible to 'automatically' use my GPG subkey for SSH
> session when I'm using GPG-Agent? Or am I missing something here?
Install gpg-agent properly and make sure that the environment variables
are set. The man page explains what you need to do. The import thing
is that the envvar SSH_AUTH_SOCKET points to the right socket which is
usually /home/USER/.gnupg/S.gpg-agent.ssh . You either need to put
"enable-ssh-support" into the gpg-agent.conf or start gpg-agent with the
option "--enable-ssh-support". You may check that it works using
$ gpg-connect-agent 'getinfo ssh_socket_name' /bye
Now you only have to use "ssh-add" to add the keys to gpg-agent.
gpg-agent will ask you for the passphrase of the ssh-key and then for a
new passphrase (you may use the same) under it will be stored in GnuPG's
key storage. Once this has been done, you won't need "ssh-add"
anymore. You may of course use
to list the keys, gpg-agent knows about or
do show the public keys. If you have the need for finer grained control
or want to disable an ssh key, you need to look at ~/.gnupg/sshcontrol .
If you have a supported smartcard, an authentication key on that card
will be used for ssh automagically.
I am using this all of this for more than 7 years and have never looked
at ssh-agent again. ECC support is not yet ready, but it is in the
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users