GPG key to authenticate to SSH?

Werner Koch wk at
Mon Jul 23 10:01:25 CEST 2012

On Sun, 22 Jul 2012 21:52, jeroen at said:

> --enable-ssh-support option and the gpgkey2ssh script.

You don't need gpgkey2ssh - it is a relict form the early days.
gpg-agent supports the ssh-agent protocol for 7 years now.

> Is it somehow possible to 'automatically' use my GPG subkey for SSH
> session when I'm using GPG-Agent? Or am I missing something here?

Install gpg-agent properly and make sure that the environment variables
are set.  The man page explains what you need to do.  The import thing
is that the envvar SSH_AUTH_SOCKET points to the right socket which is
usually /home/USER/.gnupg/S.gpg-agent.ssh .  You either need to put
"enable-ssh-support" into the gpg-agent.conf or start gpg-agent with the
option "--enable-ssh-support".  You may check that it works using

  $ gpg-connect-agent 'getinfo ssh_socket_name' /bye
  D /home/USER/.gnupg/S.gpg-agent.ssh

Now you only have to use "ssh-add" to add the keys to gpg-agent.
gpg-agent will ask you for the passphrase of the ssh-key and then for a
new passphrase (you may use the same) under it will be stored in GnuPG's
key storage.  Once this has been done, you won't need "ssh-add"
anymore.  You may of course use 

  ssh-add -l

to list the keys, gpg-agent knows about or

  ssh-add -L

do show the public keys.  If you have the need for finer grained control
or want to disable an ssh key, you need to look at ~/.gnupg/sshcontrol .
If you have a supported smartcard, an authentication key on that card
will be used for ssh automagically.

I am using this all of this for more than 7 years and have never looked
at ssh-agent again.  ECC support is not yet ready, but it is in the



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list