Using gpg for ssh access

Damien Goutte-Gattat dgouttegattat at incenp.org
Wed Apr 6 12:48:40 CEST 2016


On 04/06/2016 09:38 AM, CANNON NATHANIEL CIOTA wrote:
> Thanks for the info. Today I had chance to try this out, still having
> trouble using ssh with gpg. Can you please clarify what steps are to be
> used on server side and steps on client side? My current scenario, both
> server and client are linux command line interface only. My smartcard
> has a subkey for use with authentication.

Then if GPG Agent is up and running and configured to act as a SSH 
agent, it should automatically detect the authentication subkey and make 
it available to SSH clients.

First, could you please tell us which version of GnuPG you are using? 
Most importantly, we need to know if you're using 2.0 or 2.1.

Then, check whether SSH support is enabled in GPG Agent. You can use the 
following command:

   gpg-connect-agent "GETINFO ssh_socket_name" /bye

which should print the path to the SSH socket if SSH support is enabled, 
or give you an error message if it is not.

If SSH support is not enabled, enable it by adding the following line:

   enable-ssh-support

in the configuration for GPG Agent (~/.gnupg/gpg-agent.conf, you may 
need to create that file if it does not already exist), then kill the agent:

   gpgconf --kill gpg-agent

and re-run the first command again.

Once you have confirmed that SSH support is available from the agent, 
check the value of the SSH_AUTH_SOCK environment variable. That variable 
must point to the agent's SSH socket (as returned by the GETINFO command 
above) in order for SSH clients to know how to contact the agent.

Then, insert your card into your card reader and run `ssh-add -L`. If 
everything went fine, that command should print the public part of your 
authentication subkey, in a format suitable for inclusion into an 
authorized_keys file on your server.

If something did *not* go fine, please report any error message.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160406/c9762d31/attachment.sig>


More information about the Gnupg-users mailing list