In theory, enabling SSH support on the gpg-agent
is as simple as passing the --enable-ssh-support
option to the gpg-agent
when initialized. However, this is tricky in Ubuntu (and probably many other Linux systems) because the gpg-agent
is
constantly relaunched. If we're on a machine we don't want to modify too much (as in disabling the classic ssh-agent
), this
is even trickier.
Here's how I solved it:
-
First, ensure the SmartCard Daemon is installed in the system (
scdaemon
) -
Enable SSH support for the
gpg-agent
every time. While this is a system modification, it's a mild one and easy to revert. This is accomplished with the command:
echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf
- Then, kill the
gpg-agent
manually. It'll be restarted automatically and pick up the new option:
# Maybe this works
gpgconf --kill gpg-agent
# Otherwise, go hard
kill $(pgrep gpg-agent)
# Ensure the gpg-agent picks up the card info
gpg --card-status
- Finally, have the SSH client point to the
gpg-agent
when looking for keys, instead of the traditionalssh-agent
. This will only affect the current shell, so it won't affect the system beyond that. It's accomplished by rewiring the following environment variable:
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
# Verify the new SSH key is available to use
ssh-add -L
And that's it! If you have an authentication GPG subkey on a smartcard, you can now use that to connect through SSH.
Not working? Try:
# List your keygrips
gpg --list-secret-keys --with-keygrip
# Add keygrip to ~/.gnupg/sshcontrol
Hi I get the following, any pointers how to fix:
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device