SSH_AUTH_SOCK - to set or not to set?

theaetetos at tutanota.com theaetetos at tutanota.com
Wed Jun 22 18:34:45 CEST 2022


Hello,

I have trouble understanding the socket aspect of the ssh support in
GnuPG. I use the following setup (only including the relevant lines):

---

*FILE: ~/.profile
export GNUPGHOME="$XDG_DATA_HOME"/gnupg
GPG_TTY="$(tty)"; export GPG_TTY
# unset SSH_AGENT_PID
# export SSH_AUTH_SOCK="$GNUPGHOME"/S.gpg-agent.ssh

*FILE:"$GNUPGHOME"/gpg-agent.conf
enable-ssh-support
#(other options skipped)

*FILE: window manager init script
gpgconf --launch gpg-agent

---

If I leave the ssh unset/export lines commented out in the ~/.profile
file, SSH_AUTH_SOCK ends up unset and I cannot use the the gpg-agent
as my ssh-agent.

On page 14 of the GnuPG Manual (version 2.3.3, October 2021), under
2.5 Examples, we read that if we enable the support for the ssh-agent,
we also need to tell ssh about it by adding the following snippet to
our init script:

unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi

I don't understand the condition being checked, but I gather the whole
thing is simply a more robust version of my ~/.profile two-liner.

Meanwhile, the first sentence of the gpg-agent(1) man page for the
--enable-ssh-support option,which I set in my gpg-agent.conf, tells
us: The OpenSSH Agent protocol is always enabled, but gpg-agent will
only set the SSH_AUTH_SOCK variable if this flag is given.


So should 'SSH_AUTH_SOCK' be set by the user or can gpg-agent indeed
take care of that?

Best,
Patrizio



More information about the Gnupg-users mailing list