GPG Agent for SSH in Gnome
In How to set up your YubiKey NEO I already mentioned that you can also use your YubiKey as SSH key. In GPG Agent Forwarding I show how to forward your GPG agent to remote machines for decryption/signing. What’s missing is a tutorial on how to make it all work together, how to use your GPG Agent for SSH in Gnome.
This manual refers to combining a YubiKey (as GPG smart card) with GPG agent with SSH support as ssh-agent replacement in Ubuntu 18.04 with Gnome. I assume you have already read the article How to set up your YubiKey NEO and set up your YubiKey (or any other smart card) and generated the SSH keys. I cannot exclude that the manual will also work for other distributions/versions, but I have tested it exclusively for Ubuntu 18.04 with Gnome. Experience reports or problems can be left in the comment field. If anyone has more useful information, I’d be happy to update this article.
Actually the configuration is quite simple, but it took me a long time to figure out how it works. Here are the steps to take to use the GPG Agent for SSH in Gnome:
- First we have to disable the Gnome keyring. The problem is that the Gnome keyring itself starts an SSH agent and sets the variable $SSH_AUTH_SOCK – overwriting the value of already running, other agents. I found the solution to this step here: https://wiki.archlinux.org/index.php/GNOME/Keyring#Disable_keyring_daemon_components. However, deactivating the autostart was enough for me. I didn’t have to set GSM_SKIP_SSH_AGENT_WORKAROUND.
mkdir -p ~/.config/autostart cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart echo "Hidden=true" >> ~/.config/autostart/gnome-keyring-ssh.desktop
- The next step is to activate the GPG agent:
echo "use-agent" >> ~/.gnupg/gpg.conf
- Next, enable SSH support for the GPG agent:
echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
Then log off (or restart) for security to stop all running services (and agents). Next time you login, $SSH_AUTH_SOCK should point to the GPG agent socket:
echo $SSH_AUTH_SOCK /run/user/1000/gnupg/S.gpg-agent.ssh
Now you can test if it’s working. Enjoy! 🙂
The problem I still have is with SSH_AUTH_SOCK. It is still getting set to socket for the keyring (sometime after my .profile is sourced). I am running Gnome 3.28 but I still tried setting GSM_SKIP_SSH_AGENT_WORKAROUND (both in ~/.pam_environment and in my .profile.
I am currently setting SSH_AUTH_SOCK in my .bashrc. I explicitly start gpg-agent in my .profile (SSH_AUTH_SOCK=$(gpgconf –list-dirs agent-ssh-socket) gpgconf –launch gpg-agent)