GPG Agent for SSH in Gnome

In How to set up your YubiKey NEO I already mentioned that you can also use your YubiKey as SSH key. In GPG Agent Forwarding I show how to forward your GPG agent to remote machines for decryption/signing. What’s missing is a tutorial on how to make it all work together, how to use your GPG Agent for SSH in Gnome.

Prerequisites

This manual refers to combining a YubiKey (as GPG smart card) with GPG agent with SSH support as ssh-agent replacement in Ubuntu 18.04 with Gnome. I assume you have already read the article How to set up your YubiKey NEO and set up your YubiKey (or any other smart card) and generated the SSH keys. I cannot exclude that the manual will also work for other distributions/versions, but I have tested it exclusively for Ubuntu 18.04 with Gnome. Experience reports or problems can be left in the comment field. If anyone has more useful information, I’d be happy to update this article.

Setup

Actually the configuration is quite simple, but it took me a long time to figure out how it works. Here are the steps to take to use the GPG Agent for SSH in Gnome:

  • First we have to disable the Gnome keyring. The problem is that the Gnome keyring itself starts an SSH agent and sets the variable $SSH_AUTH_SOCK – overwriting the value of already running, other agents. I found the solution to this step here: https://wiki.archlinux.org/index.php/GNOME/Keyring#Disable_keyring_daemon_components. However, deactivating the autostart was enough for me. I didn’t have to set GSM_SKIP_SSH_AGENT_WORKAROUND.
    mkdir -p ~/.config/autostart
    cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart
    echo "Hidden=true" >> ~/.config/autostart/gnome-keyring-ssh.desktop
  • The next step is to activate the GPG agent:
    echo "use-agent" >> ~/.gnupg/gpg.conf
  • Next, enable SSH support for the GPG agent:
    echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf

Then log off (or restart) for security to stop all running services (and agents). Next time you login, $SSH_AUTH_SOCK should point to the GPG agent socket:

echo $SSH_AUTH_SOCK
/run/user/1000/gnupg/S.gpg-agent.ssh

Now you can test if it’s working. Enjoy! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *