gpg-agent and ~/.ssh/config IdentityFile

Peter Lebbing peter at
Mon Jul 4 13:36:13 CEST 2016

On 04/07/16 10:10, Muri Nicanor wrote:
> if i use gpg-agent with ssh-support, is there a way to use the
> IdentityFile option in ~/.ssh/config? When using ssh-agent i can point
> IdentityFile to the corresponding private key, but i don't know how i
> could do that using gpg-agent (esp. if the key is on card ;))

Are you talking about restricting the keys available for 
authentication? Because just using IdentityFile does not do that, as 
can be concluded from this part of the man page:

>      IdentityFile
>              Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA
>              authentication identity is read.  The default is ~/.ssh/identity
>              for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
>              ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.  Addi‐
>              tionally, any identities represented by the authentication agent
>              will be used for authentication unless IdentitiesOnly is set.
>              [...]

Note that last sentence.

This documented behaviour is indeed working for me, as you can see in 
this example session:

> $ ssh mscrabtree
> Permission denied (publickey).

Correct: my agent does not have the necessary key.

> $ ssh butters
> Linux butters [...]
> [...]
> peter at butters:~$ logout
> Connection to butters closed.

Correct: my agent does have the key for that host.

> $ echo 'IdentityFile /home/peter/.ssh/test_id' | cat - ~/.ssh/config >~/.ssh/config.tmp; mv ~/.ssh/config.tmp ~/.ssh/config

Adding the necessary config option you are asking about. Since it needs 
to go before any Host-specific config in there, I'm prepending it so it 
is the first line in the file.

> $ ssh mscrabtree
> Enter passphrase for key '/home/peter/.ssh/test_id': 
> The programs included with the Debian GNU/Linux system are free software;
> [...]
> peter at mscrabtree:~$ logout
> Connection to mscrabtree closed.

Ah, I can log in, but not through the agent. It's the ssh program which 
is prompting me for the password. Since the agent doesn't have this 
key, only the ssh program knows about it. All as I would expect.

> $ ssh butters
> Linux butters [...]
> [...]
> peter at butters:~$ logout
> Connection to butters closed.

And again as expected. Per the documentation, the keys from the agent 
are also still available, even with added identities through 

So at least for me, it's functioning as I would expect it would after 
reading the documentation. I get the sense you're interested in a 
different configuration, one with IdentitiesOnly as well. Another 
possibility is that you are using a different OpenSSH version with 
different configuration options. I'm using:

> $ ssh -V
> OpenSSH_6.7p1 Debian-5+deb8u2, OpenSSL 1.0.1t  3 May 2016

My GnuPG is the Debian package 2.1.11-7.

So can you clarify what it is you want to accomplish?



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list