GPG Agent for SSH in Gnome
In How to set up your YubiKey NEO I already mentioned that you can also use your YubiKey as SSH key. In GPG Agent Forwarding I show how to forward your GPG agent to remote machines for decryption/signing. What’s missing is a tutorial on how to make it all work together, how to use your GPG Agent for SSH in Gnome.
Prerequisites
This manual refers to combining a YubiKey (as GPG smart card) with GPG agent with SSH support as ssh-agent replacement in Ubuntu 18.04 with Gnome. I assume you have already read the article How to set up your YubiKey NEO and set up your YubiKey (or any other smart card) and generated the SSH keys. I cannot exclude that the manual will also work for other distributions/versions, but I have tested it exclusively for Ubuntu 18.04 with Gnome. Experience reports or problems can be left in the comment field. If anyone has more useful information, I’d be happy to update this article.
Setup
Actually the configuration is quite simple, but it took me a long time to figure out how it works. Here are the steps to take to use the GPG Agent for SSH in Gnome:
- First we have to disable the Gnome keyring. The problem is that the Gnome keyring itself starts an SSH agent and sets the variable $SSH_AUTH_SOCK – overwriting the value of already running, other agents. I found the solution to this step here: https://wiki.archlinux.org/index.php/GNOME/Keyring#Disable_keyring_daemon_components. However, deactivating the autostart was enough for me. I didn’t have to set GSM_SKIP_SSH_AGENT_WORKAROUND.
mkdir -p ~/.config/autostart cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart echo "Hidden=true" >> ~/.config/autostart/gnome-keyring-ssh.desktop
- The next step is to activate the GPG agent:
echo "use-agent" >> ~/.gnupg/gpg.conf
- Next, enable SSH support for the GPG agent:
echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
Then log off (or restart) for security to stop all running services (and agents). Next time you login, $SSH_AUTH_SOCK should point to the GPG agent socket:
echo $SSH_AUTH_SOCK /run/user/1000/gnupg/S.gpg-agent.ssh
Now you can test if it’s working. Enjoy! 🙂
6 COMMENTS
The problem I still have is with SSH_AUTH_SOCK. It is still getting set to socket for the keyring (sometime after my .profile is sourced). I am running Gnome 3.28 but I still tried setting GSM_SKIP_SSH_AGENT_WORKAROUND (both in ~/.pam_environment and in my .profile.
I am currently setting SSH_AUTH_SOCK in my .bashrc. I explicitly start gpg-agent in my .profile (SSH_AUTH_SOCK=$(gpgconf –list-dirs agent-ssh-socket) gpgconf –launch gpg-agent)
You you please try to disable the “use-ssh-agent” option in /etc/X11/Xsession.options? Does that work then for you?
Thank you very much for the well described procedure. Unfortunately, it wasn’t working for me at first. On stackoverflow someone had the same problem and the proposed solution was working for me, too.
https://stackoverflow.com/questions/47607363/cant-use-gpg-agent-as-an-ssh-agent
You have to add the keygrip of your authentication subkey into “~/.gnupg/sshcontrol”.
It can be displayed with “gpg -K –with-keygrip”
Also very many thanks to Ron from stackoverflow for this solution!
[…] my last post regarding the usage of GPG Agent for SSH Authentication (read here) I presented my first solution to replace the default OpenSSH Agent with GPG’s SSH Agent […]
Since ubuntu 21.10 this stopped working somehow.
I’ve traced the problem with minor success: the gnome-keyring is not running, and somehow one of the components (I presume gdm3) launches openssh_client:
“`
$ env|grep AUTH
SSH_AUTH_SOCK=/run/user/1000/openssh_agent
“`
Where *that* thing is launched is a mystery to me 🙁
Hey,
did you check out https://mlohr.com/gpg-agent-for-ssh-authentication-update/?
Best regards
Matthias