blob: c3fb393aab4aca55fa34b232d90e8617394e96a1 (
plain) (
tree)
|
|
<!--
title: GnuPG for SSH Authentication
Description: Using gpg-agent as an alternative to ssh-agent
author: gbmor
-->
# Using GPG for SSH Authentication
It's a fairly simply process to have gpg-agent handle your SSH
authentication. To start off, you'll need to have a private GnuPG key
generated with an appropriate subkey for authentication. Once that's
taken care of, open up `~/.gnupg/gpg-agent.conf`
```
$ cat ~/.gnupg/gpg-agent.conf
enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120
```
Now you'll need to append the following to `~/.bashrc`, or the appropriate
rc file for your shell
```
$ cat ~/.bashrc
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpg-connect-agent updatestartuptty /bye > /dev/null
```
Once that's done, you'll need to let `gpg-agent` know which GnuPG subkey
to use for SSH authentication. Run the following and copy the keygrip
associated with the subkey you've generated specifically for authentication.
Don't use *my* keygrip, however. The output here is just for an example. `GnuPG`
computes the keygrips from the public key, so nothing here is sensitive
or private.
```
$ gpg --with-keygrip -k ben@gbmor.dev
pub rsa4096/0xEAB272409CD12FF0 2018-11-25 [SC]
Key fingerprint = 291A AFF7 A291 7DAB 0E01 6B9C EAB2 7240 9CD1 2FF0
Keygrip = DE06FAA273017BBD8778F94639611CEF53AB9EBC
uid [ultimate] Ben Morrison <ben@gbmor.dev>
sub rsa4096/0xF9C3B650612249D9 2018-11-25 [E]
Keygrip = 751ADAC109736316B6ABEBB3F2BDF4612F8A630C
sub rsa4096/0x4969E5731CFEB507 2018-11-25 [A]
Keygrip = 44D1BDC0C1931E2E018E7CE49CDE14BFB4EA11E3
sub rsa4096/0x8F192E4720BB0DAC 2018-11-25 [S]
Keygrip = 240966CBF2791D8C34D0DA646925435FED49F9BF
```
Now, open `~/.gnupg/sshcontrol` and paste the keygrip into that file.
It's the keygrip just below the key marked `[A]` for authentication.
Verify that the correct keygrip has been selected by running these two
and comparing the output:
```
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCakJKfXUuX/ZDxJQySdxCeQfxTu0g
KPCESGDyadvFAPDxtcTfOrxfqJLZx8CodkC7hzHT/QEy/xMgN18Q== cardno:000609861127
```
```
$ gpg --export-ssh-key <keyid>
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCakJKfXUuX/ZDxJQySdxCeQfxTu0g
KPCESGDyadvFAPDxtcTfOrxfqJLZx8CodkC7hzHT/QEy/xMgN18Q== openpgp:0x1CFEB507
```
The `ssh` output should match the `gpg` output (except maybe the little
trailing comment, like here). Also, I've removed most of the public key I'm using as
an example for brevity's sake. It should be quite a bit longer than this.
If `ssh` is correct, kill off `gpg-agent`
```
$ pkill gpg-agent
```
Then open up a new terminal and attempt to connect to a server!
[back](/)
|