Enable GPG SSH Feature
Secure SHELL is able to use GnuPG keys for SSH authentications. This section guides you on enabling SSH Feature for GnuPG part.
Create Authenticate Subkey
You need a subkey that has "Authenticate" ("[A]" label) key for SSH to use. You can proceed to create one.
Create/Update gpg-agent configuration File
The next thing to do is to configure the gpg-agent.conf file inside your ~/.gnupg directory. If the file is missing, you need to create it. You may use the following command:
echo "enable-ssh-support " >> ~/.gnupg/gpg-agent.confDeclare Subkey for SSH Usage
Next is to declare the subkey is used for SSH Usage. This is a multi-steps.
Obtain the Subkey Keygrip ID
You first need to obtain the keygrip ID for the authenticate capable subkey. To do that, you use the following command:
$ gpg --list-secret-keys --with-keygrip...ssb ed25519 2020-01-13 [A] Keygrip = 8B1A83DCEDC34A23AED9DC23C20E6B7C5CA40CDFrom the example above, the keygrip ID is: 8B1A83DCEDC34A23AED9DC23C20E6B7C5CA40CD.
Insert Keygrip ID into SSHControl File
The next step is to insert the Keygrip ID into the ~/.gnupg/sshcontrol file. You can use the following command or a text editor to insert it:
echo "<key ID>" >> ~/.gnupg/sshcontrolFrom the example above:
echo "8B1A83DCEDC34A23AED9DC23C20E6B7C5CA40CD" >> ~/.gnupg/sshcontrolLaunch GPG Agent and Declare SSH_AUTH_SOCK Socket
Once everything is done, you need to launch GPG agent and export the SSH_AUTH_SOCK environment variable before SSH agent and initialization. You can do that easily inside your ~/.bashrc or equivalent file.
gpgconf --launch gpg-agent$ export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"# ssh agentssh_socket_path="${HOME}/.ssh/ssh_auth_sock"if [ ! -S "$ssh_socket_path" ]; then eval `ssh-agent -k 2> /dev/null` 2> /dev/null unlink "$ssh_socket_path" 2> /dev/null rm -f "$ssh_socket_path" 2> /dev/null printf "[ INFO ] SSH " && eval `ssh-agent -s` ln -sf "$SSH_AUTH_SOCK" "$ssh_socket_path"fiunset ssh_socket_pathRestart Your GnuPG Agent and SSH Agent
Your next instance would have SSH Agent communicating with GnuPG agent. Of course, you can also kill both gpg-agent and ssh-agent in the current session and source your ~/.bashrc or equivalent file again. To restart both agents, you can use the following commands:
$ eval `ssh-agent -k 2> /dev/null` 2> /dev/null$ unlink "$ssh_socket_path" 2> /dev/null$ rm -f "$ssh_socket_path" 2> /dev/null$ gpgconf --kill gpg-agent$ source ~/.bashrcThat's all about enabling SSH to use GnuPG keys.