Enable GPG SSH Feature
Secure SHELL is able to use GnuPG keys for SSH authentications. This section guides you on enabling SSH Feature for GnuPG part.
Create Authenticate Subkey
You need a subkey that has "Authenticate" ("[A]
" label) key for SSH to use. You can proceed to create one.
Create/Update gpg-agent configuration File
The next thing to do is to configure the gpg-agent.conf
file inside your ~/.gnupg
directory. If the file is missing, you need to create it. You may use the following command:
echo "enable-ssh-support " >> ~/.gnupg/gpg-agent.conf
Declare Subkey for SSH Usage
Next is to declare the subkey is used for SSH Usage. This is a multi-steps.
Obtain the Subkey Keygrip ID
You first need to obtain the keygrip ID for the authenticate capable subkey. To do that, you use the following command:
$ gpg --list-secret-keys --with-keygrip
...
ssb ed25519 2020-01-13 [A]
Keygrip = 8B1A83DCEDC34A23AED9DC23C20E6B7C5CA40CD
From the example above, the keygrip ID is: 8B1A83DCEDC34A23AED9DC23C20E6B7C5CA40CD
.
Insert Keygrip ID into SSHControl File
The next step is to insert the Keygrip ID into the ~/.gnupg/sshcontrol
file. You can use the following command or a text editor to insert it:
echo "<key ID>" >> ~/.gnupg/sshcontrol
From the example above:
echo "8B1A83DCEDC34A23AED9DC23C20E6B7C5CA40CD" >> ~/.gnupg/sshcontrol
Launch GPG Agent and Declare SSH_AUTH_SOCK Socket
Once everything is done, you need to launch GPG agent and export the SSH_AUTH_SOCK
environment variable before SSH agent and initialization. You can do that easily inside your ~/.bashrc
or equivalent file.
gpgconf --launch gpg-agent
$ export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
# ssh agent
ssh_socket_path="${HOME}/.ssh/ssh_auth_sock"
if [ ! -S "$ssh_socket_path" ]; then
eval `ssh-agent -k 2> /dev/null` 2> /dev/null
unlink "$ssh_socket_path" 2> /dev/null
rm -f "$ssh_socket_path" 2> /dev/null
printf "[ INFO ] SSH " && eval `ssh-agent -s`
ln -sf "$SSH_AUTH_SOCK" "$ssh_socket_path"
fi
unset ssh_socket_path
Restart Your GnuPG Agent and SSH Agent
Your next instance would have SSH Agent communicating with GnuPG agent. Of course, you can also kill both gpg-agent
and ssh-agent in the current session and source your ~/.bashrc
or equivalent file again. To restart both agents, you can use the following commands:
$ eval `ssh-agent -k 2> /dev/null` 2> /dev/null
$ unlink "$ssh_socket_path" 2> /dev/null
$ rm -f "$ssh_socket_path" 2> /dev/null
$ gpgconf --kill gpg-agent
$ source ~/.bashrc
That's all about enabling SSH to use GnuPG keys.