Cannot export SSH public key

Werner Koch wk at
Wed Nov 22 13:57:03 CET 2023

On Wed, 22 Nov 2023 19:39, Felix E. Klee said:

> However, I could not log in.  SSH reports:
>     Permission denied (publickey).

You need to make sure that the gpg-agent is running and the
SSH_AUTH_SOCK envvar is set correctly.  Here is the snippet from by

--8<---------------cut here---------------start------------->8---
# Setup information required by GnuPG and ssh.  We use the
# standard socket in GnuPG's homedir, thus there is no need for an
# environment variable.  We reset any left over envvar.
# SSH_AGENT_PID should not be set either because it is only used
# to kill ssh-agent (option -k) but we don't want this to kill
# gpg-agent.  Because ssh does not know about GnuPG's homedir we
# need to set its envvar to the standard gpg-agent.  GPG_TTY needs
# to be set to the current TTY.  The extra test is used to avoid
# setting SSH_AUTH_SOCK if gpg-agent has been started with a
# shell on the command line (often used for testing).
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
  export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
export GPG_TTY=$(tty)
--8<---------------cut here---------------end--------------->8---

In case you are switching to a different X server etc, you may need to

  gpg-connect-agent updatestartuptty /bye

once.  This will also make sure that the agent is launched.

Although gpg-agent by default creates the socket for the ssh-agent
protocol, some distros have a pecularity that they look into
~/.gnupg/gpg-agent.conf and check whether there is a
"enable-ssh-support" option set.  If not they don't set the envvar (as
above) or do their necessary systemd stuff to create the socket.

> I then tried exporting the key using `ssh-add`:
>     ssh-add -L >~/.ssh/

ssh-add should have connected to gpg-agent and exported the ssh public
keys it knows.  You don't need to put this into  I use 

> Now it gets a bit weird: Apparently the key exported by `ssh-add` is not
> tied to my authentication key! I noticed this because I replaced the
> authentication key. They key exported by `ssh-add` did not change. I can

What is in your ~/.gnupg/sshcontrol file?  It should list the keygrips
of the keys to be used for ssh.

  gpg -k --with-keygrip yubikey at

Instead of putting this into sshcontrol you may also put them into the
private-keys-v1.d/<KEYGRIP>.key file with a line:

  Use-for-ssh: yes

FWIW, you may also use

  Label: My pink token

to have a nicer prompt.

> Should I better use the authentication key exported by GPG for SSH? But
> how to make that work?

  gpg --export-ssh-key

Adds a comment with the keyid - is that one correct?  Does it match what
you see with

  ssh-add -L

(or ssh-add -l)?



The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list