GPG-Agent not recognising SSH keys

Peter Lebbing peter at digitalbrains.com
Tue Jan 12 19:37:52 CET 2016


On 12/01/16 12:58, Jacques Kotze wrote:
> Hi All,

Hi,

> First time post, so please excuse me if it is a ignorant noob question :)

It's not an ignorant question, and even if it were, that wouldn't be a
problem :).

> $> unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
> $> eval $(/usr/local/MacGPG2/bin/gpg-agent --daemon --enable-ssh-support)

Which version of GnuPG are you using, by the way?

> Ok.. so I am stumped. Any help appreciated :)

Did it go something like this?

I'm "quoting" the terminal interaction and writing comments in between.
You can see I'm using GnuPG 2.1, but I think it should go the same for
2.0. There /is/ a difference with regard to the agent configuration,
though, which is why I ask about your version above.

> $ gpg2 --expert --edit-key DCDFDFA4
> gpg (GnuPG) 2.1.10; Copyright (C) 2015 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> Secret key is available.
> 
> sec  rsa1024/DCDFDFA4
>      created: 2012-03-17  expires: 2016-01-13  usage: SC  
>      trust: never         validity: unknown
> ssb  rsa1024/77A3395A
>      created: 2012-03-17  expires: never       usage: E   
> [ unknown] (1). Test Teststra (Koning van Wezel) <test at example.invalid>
> [ unknown] (2)  Test Teststra <test at work.invalid>

This is a testkey. It doesn't have an authentication capable subkey yet,
so let's add one (for that, we need --expert, hence my use of it).

> gpg> addkey
> Please select what kind of key you want:
>    (3) DSA (sign only)
>    (4) RSA (sign only)
>    (5) Elgamal (encrypt only)
>    (6) RSA (encrypt only)
>    (7) DSA (set your own capabilities)
>    (8) RSA (set your own capabilities)
>   (10) ECC (sign only)
>   (11) ECC (set your own capabilities)
>   (12) ECC (encrypt only)
>   (13) Existing key
> Your selection? 8
>
> Possible actions for a RSA key: Sign Encrypt Authenticate 
> Current allowed actions: Sign Encrypt 
> 
>    (S) Toggle the sign capability
>    (E) Toggle the encrypt capability
>    (A) Toggle the authenticate capability
>    (Q) Finished
> 
> Your selection? =a

I just noticed this possibility in a recent post by Werner to this
list... I don't know if it's a new 2.1 feature, but instead of first
toggling S and E, you can prepend an = to your A and presto, the key is
for A only.

> RSA keys may be between 1024 and 4096 bits long.
> What keysize do you want? (2048)
> Requested keysize is 2048 bits
> Please specify how long the key should be valid.
>          0 = key does not expire
>       <n>  = key expires in n days
>       <n>w = key expires in n weeks
>       <n>m = key expires in n months
>       <n>y = key expires in n years
> Key is valid for? (0) 
> Key does not expire at all
> Is this correct? (y/N) y
> Really create? (y/N) y
> We need to generate a lot of random bytes. It is a good idea to perform
> some other action (type on the keyboard, move the mouse, utilize the
> disks) during the prime generation; this gives the random number
> generator a better chance to gain enough entropy.
> 
> sec  rsa1024/DCDFDFA4
>      created: 2012-03-17  expires: 2016-01-13  usage: SC  
>      trust: never         validity: unknown
> ssb  rsa1024/77A3395A
>      created: 2012-03-17  expires: never       usage: E   
> ssb  rsa2048/38EF7410
>      created: 2016-01-12  expires: never       usage: A   
> [ unknown] (1). Test Teststra (Koning van Wezel) <test at example.invalid>
> [ unknown] (2)  Test Teststra <test at work.invalid>
> 
> gpg> Save changes? (y/N) y

So now we need the keygrip for this new authentication subkey:

> $ gpg2 --with-keygrip -k DCDFDFA4
> pub   rsa1024/DCDFDFA4 2012-03-17 [expires: 2016-01-13]
>       Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A
> uid         [ unknown] Test Teststra (Koning van Wezel) <test at example.invalid>
> uid         [ unknown] Test Teststra <test at work.invalid>
> sub   rsa1024/77A3395A 2012-03-17
>       Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D
> sub   rsa2048/38EF7410 2016-01-12
>       Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63

The keygrip /follows/ the line with the short key ID; we need the
keygrip for the key with ID 38EF7410, so it's the very last line. The
other keygrips are for keys that don't have the authentication
capability and are hence useless to add to sshcontrol.

I used a screen editor, but let's pretend I used the command line... In
fact, all further lines have been edited to hide my real SSH keys. It's
probably overkill, but let's be cautious with what we broadcast on the
internet.

> $ cd .gnupg
> $ echo '3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 0' >>sshcontrol
> $ cat .gnupg/sshcontrol 
> # List of allowed ssh keys.  Only keys present in this file are used
> # in the SSH protocol.  The ssh-add tool may add new entries to this
> # file to enable them; you may also add them manually.  Comment
> # lines, like this one, as well as empty lines are ignored.  Lines do
> # have a certain length limit but this is not serious limitation as
> # the format of the entries is fixed and checked by gpg-agent. A
> # non-comment line starts with optional white spaces, followed by the
> # keygrip of the key given as 40 hex digits, optionally followed by a
> # the caching TTL in seconds and another optional field for arbitrary
> # flags.   Prepend the keygrip with an '!' mark to disable it.
> 
> 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 0

Now let's see if it's known:

> $ ssh-add -L
> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9V1hmvs5Gg8OqmtHDXfIAKA5Ji0z0+ib5m7DRjX/KXXZvOtwR8QOvsFxffJsXpmp1m7nL/gw+EcjbMDAbo+X05UWKiMwyVdinbnaupFDtk7Z+KBEAYLsvUml23jiBzitLbURC7wFrMTFPVzGY/5ZHw0LaWjSPuQxltjPTnMUcL4F4eyDD2TkmsxmAgNy5xMAjHmGdEaBnFent2hBTMETyeWKlP6glKT67eL2SQn5viHSXK6nVlXsyYsJBIhSPjAagPv1qRtkhinSJaKDUGWZ0vxMpNHscjG4DreWKlzew5UQcBBKleYPl7mSf1Z8UJnwLnYdC0OhjC1dMfyitByhV (none)

\o/

If you did it just like this, there's an issue in your setup, as it
works for me. If you didn't do it like this, ... you probably should ;P.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list