GPG key to authenticate to SSH?

Jeroen Budts jeroen at budts.be
Tue Jul 24 22:04:31 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/23/2012 10:01 AM, Werner Koch wrote:
> On Sun, 22 Jul 2012 21:52, jeroen at budts.be said:
> 
>> Is it somehow possible to 'automatically' use my GPG subkey for 
>> SSH session when I'm using GPG-Agent? Or am I missing something 
>> here?
> 
> Install gpg-agent properly and make sure that the environment 
> variables are set.  The man page explains what you need to do.
> The import thing is that the envvar SSH_AUTH_SOCKET points to the
> right socket which is usually /home/USER/.gnupg/S.gpg-agent.ssh .
> You either need to put "enable-ssh-support" into the gpg-agent.conf
> or start gpg-agent with the option "--enable-ssh-support".  You
> may check that it works using
> 
> $ gpg-connect-agent 'getinfo ssh_socket_name' /bye D 
> /home/USER/.gnupg/S.gpg-agent.ssh OK

Aha, OK, when I tried to run that command I got an error (telling me
that that functionality was not implemented). While I followed
instructions to disable the gpg and ssh parts of gnome-keyring,
apparently they didn't work. Now I completely disabled 'Launch GNOME
services on startup' in XFCE so gnome-keyring is not started anymore.
Now I get the correct output from the above command.

> Now you only have to use "ssh-add" to add the keys to gpg-agent. 
> gpg-agent will ask you for the passphrase of the ssh-key and then
> for a new passphrase (you may use the same) under it will be stored
> in GnuPG's key storage.  Once this has been done, you won't need 
> "ssh-add" anymore.

This works correctly as well now. I added my SSH key, gpg-agent
prompted me for the passphrase of the SSH-key and asked me for a new
passphrase. Now I can indeed log-in into my server without having to
ssh-add my key. However, before I started all this I could do this as
well, as gnome-keyring automatically does an ssh-add for you. (or as I
understand it, gnome-keyring uses it's own ssh-agent which unlocks the
key only when it is needed and automatically prompts for the
passphrase at that moment.)

>> --enable-ssh-support option and the gpgkey2ssh script.
> 
> You don't need gpgkey2ssh - it is a relict form the early days. 
> gpg-agent supports the ssh-agent protocol for 7 years now.

What I really wanted to accomplish here is to use my GPG
authentication subkey for SSH authentication, without having to use an
SSH-key at all. But it is still not clear to me how this can be
accomplished, if possible at all?
I was thinking that:
1) somehow I should be able to make my public Authentication key known
to the server. That's why I used `gpgkey2ssh <my-auth-subkeyid>` and
added the output to ~/.ssh/authorized_keys on the server.
2) somehow gpg-agent would also try authentication subkeys on
GPG-keys, amongst any other known SSH-keys, when trying to find the
correct key to authenticate to SSH? This doesn't seem to be the case.

Ideally I would be able to always use my GPG Authentication subkey for
SSH authentication and would not need any other SSH-specific key.

Is something like this possible, or am I completely missing the point?
(I still need to learn a lot about SSH etc).

Thanks for your reply!
Jeroen

- -- 
website: http://budts.be/ - twitter: @teranex
___________________________________
Registered Linux User #482240 - GetFirefox.com - ubuntu.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQIcBAEBCAAGBQJQDv/PAAoJEBrqc/v4ufiMclAP/jodfRWcH5useZmobhBKR9kp
RYZ+W0Yd3Ph65fQQA+FTJVUaUBFQsQFnbFAjB9vfrVFl3Ww02VeTC1xb7SMQePfC
5MJl4geFA+Y8/z2QTeSBvM9e2UrkOGxRi0ISBOAmPm0b25uIyTDr+I4+kxz55VrS
3XZs2rn7DA0/IUN05a9M8eGnN77UmQvyAHaOo/08kFa0W+F+jTi2yKocxcz7Jqfm
kAkxScvhLXI193utWk2XFhSycVXgN8aAht9Lhvdtptps/Nyi3OOxqM029PVunASa
BfAFYBBbAQsM1EnlgwNJ//m2RbxgbCL0Aw7NR+yvlBvmL+yc32FNEPltlylUk6On
nm1erwmTF30JH6mi9DQTLZgXha66BByHLkXqP6YouIfuJlvdSiL+ekh9dz0g3OJF
FOioBAAGNjQ2PsxBFZL6rxSUfxnfFmdy+Fg8to8+57DGayrkmF0tVwnVwOWlmAjz
wPOosBo/C3PA0ZOGkE3EWuzKYbduhjCN2pNLwaOHAytgSfRRfUon8ghDP730I9R7
xL3X1XNxMo0OLqY0mpH3pCoYsoTOoXawjIlL7piE0roASrGXSfVze8+SxWAdSgzJ
Jbcd6mEtcwkfTleX2eM2unKCr6bG4jccwRQda1be6l07X8EUsd6YHSfL8CUVdqU0
JjDVWtT9spLvLqmXe/kD
=mXMV
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list