gpg-agent, authentication key, and ssh

Werner Koch wk at
Thu Jul 25 16:55:16 CEST 2013

On Tue, 23 Jul 2013 06:34, matt at said:

> As I understand it, I can create an authentication subkey and use some utility
> to convert that to an ssh key. If this conversion is possible, then why can't
> the gpg-agent consider private auth (sub)keys along with ssh keys loaded via
> the SSH_AUTH_SOCK protocol?

It does this if the authkey is on a smart-card.

We can't further automate this because the gpg-agent protocol requires
that gpg-agent tells ssh all available keys so that ssh can ask the
server whether it is willing to accept a certain key.  With the dozens of
auth-keys in a keyring this is a privacy problem and a performance

So what we require is that non-smartcard keys to be used with ssh are
listed in ~/.gnupg/sshcontol .  With GnuPG 2.1 the whole thing will
become easier because the gpg-agent has direct access to all private
keys and thus there is no more need to consult gpg to convert the
non-smartcard keys.  This will actually allow to write a small GUI to
maintain the sshcontrol file.

> Also, out of curiosity... Would it be possible to multiplex the GPG_AGENT_INFO
> protocol with SSH_AUTH_SOCK? Damien Miller of OpenSSH has talked about unix
> socket forwarding [0], but nothing has come of it. I think it'd be a big win

In theory yes.  If you want to try: gpg-agent 2.1 can use TCP instead of
a local socket to accept connection from gpg.  It is a debugging aid
because there is no security - tunneling this via ssh would give you
this security.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list