using an expired GPG key with ssh

stebe at stebe at
Tue Feb 16 03:54:46 CET 2016

Hi Marko,

Marko Bauhardt:
> Hi,
> i plan to use my GPG authentication key to do a login via ssh onto my server.
> I tried monkeysphere to convert my GPG key to a ssh key, and adding the key to the ssh-agent. Everything works as expected.
> But the question i have is, will `ssh-add` or `monkeysphere subkey-to-ssh-agent` will fail when my GPG subkey is expired?
> Has anyone experience with GPG and ssh authentication?
> Should i use the gpg-agent instead of the ssh-agent?

according to monkeysphere(7) to be found in /usr/share/man/man7,
monkeysphere subkey-to-ssh-agent will fail.

Quote (using nroff):
The  monkeysphere  commands work from a set of user IDs to deter‐
mine acceptable keys for ssh  and  TLS  authentication.   OpenPGP
keys are considered acceptable if the following criteria are met:
The key must have the ‘authentication’ (‘a’) usage flag set.  The
key  itself  must  be valid, i.e. it must be well‐formed, not ex‐
pired, and not revoked.  The relevant user ID must be signed by a
trusted identity certifier.

As ssh-add arguments are being invoked from monkeysphere
subkey-to-ssh-agent (as additional parameters) this ssh-add would fail, too.

According to the manual it is possible to use the gpg.agent
"as a drop-in replacement" for the ssh-agent (and I'd prefer doing
that), if you run
gpg-agent --daemon --enable-ssh-support \
               --write-env-file "${HOME}/.gpg-agent-info"

when starting a session and no gpg.agent is already running.

(see chapter 2 Invoking GPG Agent, 2.2 Option Summary
(--enable-ssh-support), in the manual, for a detailed



More information about the Gnupg-users mailing list