GPG-Agent not recognising SSH keys

Peter Lebbing peter at digitalbrains.com
Thu Jan 14 15:58:15 CET 2016


Hi Jacques,

> Your guide highlighted a silly error where I had accidentally chopped
> some of the trailing characters of the appropriate keygrip in
> sshcontrol (Doh!). BTW I am using GnuPG 2.1.9

That's hard to spot... "Is this jumble of characters the same as the 
one I just saw?"

> I can now successfully get the response to ssh-add -L as expected.
> Great!

Yep!

> Anything there I am perhaps missing?

Is the server and the user account configured to accept authorized 
keys? Are the permissions on ~/.ssh acceptable?

Do you have administrative access to a server in question? The 
configuration for sshd can configure different authentication 
possibilities to be offered, even per-user (or per-IP range).

But perhaps more likely is that ~/.ssh doesn't have the correct 
permissions. If you have access to sshd's log: it will likely complain 
verbally in the log about permission errors, even though you as a client 
don't see it.

 From the sshd manpage:

> ~/.ssh/authorized_keys
> Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used
> for logging in as this user.  The format of this file is
> described above.  The content of the file is not highly sensi‐
> tive, but the recommended permissions are read/write for the
> user, and not accessible by others.
>
> If this file, the ~/.ssh directory, or the user's home directory
> are writable by other users, then the file could be modified or
> replaced by unauthorized users.  In this case, sshd will not
> allow it to be used unless the StrictModes option has been set to
> “no”.

A good permission for ~/.ssh is 700. authorized_keys can be 755 or 
less[1]. From the way the manpage is phrased, one would think one's home 
directory can't be 775, even though that actually might make sense in 
some setups. But if you don't want to be able to appoint people with 
write permission, keep it on 755 or less. I think 755 is quite common; 
750, 710 and 700 make sense as well.

HTH,

Peter.

[1] Less permissions, not numerically less. Don't go saying "677 is 
less"! :)

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 
<http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list