GPG key to authenticate to SSH?

Werner Koch wk at
Wed Jul 25 12:04:44 CEST 2012

On Tue, 24 Jul 2012 22:04, jeroen at said:

> apparently they didn't work. Now I completely disabled 'Launch GNOME
> services on startup' in XFCE so gnome-keyring is not started anymore.
> Now I get the correct output from the above command.

Please complain on the xfce and gnome lists and tell them they should
stop hijacking gpg-agent - at least by default.

> What I really wanted to accomplish here is to use my GPG
> authentication subkey for SSH authentication, without having to use an
> SSH-key at all. But it is still not clear to me how this can be
> accomplished, if possible at all?

With 2.1-betaX it is easy to do.  With older version you need probably
need to use gpgkey2ssh.  But the latter is not weel documented and
frankly I have not used it at all.

In case you can use 2.1-beta, here what I would do:

  $ gpg2 --with-keygrip -k 1E42B367
  pub   2048D/1E42B367 2007-12-31 [expires: 2018-12-31]
        Keygrip = 44B9E7E287B11C0E033A1A93ECCFDBC6AF7CCFAE
  uid                  Werner Koch <wk at>
  sub   1024D/77F95F95 2011-11-02
        Keygrip = D11C82133CAADCA42A00074D5EE92023B85110DF
  sub   2048R/C193565B 2011-11-07 [expires: 2013-12-31]
        Keygrip = 52A831E2CCCD992BCA0D3082B1D945DA5451BE50

Now assuming 77F95F95 would be an authenticaion key, you run a

  echo "D11C82133CAADCA42A00074D5EE92023B85110DF 0" >>~/.gnupg/sshcontrol

and you are done.  The point with 2.1 is that it stored the key material
independent from the protocol and thus you may use as you like.
gpg-agent does not need gpg to work with this subkey.  When migrating to
2.1 (see the README) gpg transfers the key material to gpg-agent.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list