about summary refs log tree commit diff stats
path: root/pages/gpgssh.md
diff options
context:
space:
mode:
Diffstat (limited to 'pages/gpgssh.md')
-rw-r--r--pages/gpgssh.md76
1 files changed, 76 insertions, 0 deletions
diff --git a/pages/gpgssh.md b/pages/gpgssh.md
new file mode 100644
index 0000000..96ab7cb
--- /dev/null
+++ b/pages/gpgssh.md
@@ -0,0 +1,76 @@
+<!--
+title: GnuPG for SSH Authentication
+Description: Using gpg-agent as an alternative to ssh-agent
+author: ahriman
+-->
+
+# Using GPG for SSH Authentication
+
+It's a fairly simply process to have gpg-agent handle your SSH
+authentication. To start off, you'll need to have a private GnuPG key
+generated with an appropriate subkey for authentication. Once that's
+taken care of, open up `~/.gnupg/gpg-agent.conf`
+
+```
+$ cat ~/.gnupg/gpg-agent.conf
+    enable-ssh-support
+    default-cache-ttl 60
+    max-cache-ttl 120
+```
+
+Now you'll need to append the following to `~/.bashrc`, or the appropriate
+rc file for your shell
+
+```
+$ cat ~/.bashrc
+    export GPG_TTY="$(tty)"
+    export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+    gpg-connect-agent updatestartuptty /bye > /dev/null
+```
+
+Once that's done, you'll need to let `gpg-agent` know which GnuPG subkey
+to use for SSH authentication. Run the following and copy the keygrip
+associated with the subkey you've generated specifically for authentication.
+Don't use *my* keygrip, however. The output here is just for an example. `GnuPG`
+computes the keygrips from the public key, so nothing here is sensitive
+or private.
+
+```
+$ gpg --with-keygrip -k ben@gbmor.dev
+    pub   rsa4096/0xEAB272409CD12FF0 2018-11-25 [SC]
+        Key fingerprint = 291A AFF7 A291 7DAB 0E01  6B9C EAB2 7240 9CD1 2FF0
+        Keygrip = DE06FAA273017BBD8778F94639611CEF53AB9EBC
+    uid                   [ultimate] Ben Morrison <ben@gbmor.dev>
+    sub   rsa4096/0xF9C3B650612249D9 2018-11-25 [E]
+        Keygrip = 751ADAC109736316B6ABEBB3F2BDF4612F8A630C
+    sub   rsa4096/0x4969E5731CFEB507 2018-11-25 [A]
+        Keygrip = 44D1BDC0C1931E2E018E7CE49CDE14BFB4EA11E3
+    sub   rsa4096/0x8F192E4720BB0DAC 2018-11-25 [S]
+        Keygrip = 240966CBF2791D8C34D0DA646925435FED49F9BF
+```
+
+Now, open `~/.gnupg/sshcontrol` and paste the keygrip into that file.
+It's the keygrip just below the key marked `[A]` for authentication.
+Verify that the correct keygrip has been selected by running these two
+and comparing the output:
+```
+$ ssh-add -L
+    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCakJKfXUuX/ZDxJQySdxCeQfxTu0g
+    KPCESGDyadvFAPDxtcTfOrxfqJLZx8CodkC7hzHT/QEy/xMgN18Q== cardno:000609861127
+```
+```
+$ gpg --export-ssh-key <keyid>
+    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCakJKfXUuX/ZDxJQySdxCeQfxTu0g
+    KPCESGDyadvFAPDxtcTfOrxfqJLZx8CodkC7hzHT/QEy/xMgN18Q== openpgp:0x1CFEB507
+```
+The `ssh` output should match the `gpg` output (except maybe the little 
+trailing comment, like here). Also, I've removed most of the public key I'm using as
+an example for brevity's sake. It should be quite a bit longer than this.
+If `ssh` is correct, kill off `gpg-agent`
+```
+$ pkill gpg-agent
+```
+
+Then open up a new terminal and attempt to connect to a server!
+
+[back](/)
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-05-16 09:01:12 +0000