Enable SSH support on the GPG Agent on Ubuntu

ubuntu-gpg-agent-ssh-support.md

In theory, enabling SSH support on the gpg-agent is as simple as passing the --enable-ssh-support option to the gpg-agent when initialized. However, this is tricky in Ubuntu (and probably many other Linux systems) because the gpg-agent is constantly relaunched. If we're on a machine we don't want to modify too much (as in disabling the classic ssh-agent), this is even trickier.

Here's how I solved it:

• First, ensure the SmartCard Daemon is installed in the system (scdaemon)

• Enable SSH support for the gpg-agent every time. While this is a system modification, it's a mild one and easy to revert. This is accomplished with the command:

echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf

• Then, kill the gpg-agent manually. It'll be restarted automatically and pick up the new option:

# Maybe this works
gpgconf --kill gpg-agent

# Otherwise, go hard
kill $(pgrep gpg-agent)

# Ensure the gpg-agent picks up the card info
gpg --card-status

• Finally, have the SSH client point to the gpg-agent when looking for keys, instead of the traditional ssh-agent. This will only affect the current shell, so it won't affect the system beyond that. It's accomplished by rewiring the following environment variable:

export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

# Verify the new SSH key is available to use
ssh-add -L

And that's it! If you have an authentication GPG subkey on a smartcard, you can now use that to connect through SSH.

Not working? Try:

# List your keygrips
gpg --list-secret-keys --with-keygrip

# Add keygrip to ~/.gnupg/sshcontrol

Hi I get the following, any pointers how to fix:
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device