forked from institute/wiki
77 lines
2.7 KiB
Markdown
77 lines
2.7 KiB
Markdown
<!--
|
|
title: GnuPG for SSH Authentication
|
|
Description: Using gpg-agent as an alternative to ssh-agent
|
|
author: ahriman
|
|
-->
|
|
|
|
# Using GPG for SSH Authentication
|
|
|
|
It's a fairly simply process to have gpg-agent handle your SSH
|
|
authentication. To start off, you'll need to have a private GnuPG key
|
|
generated with an appropriate subkey for authentication. Once that's
|
|
taken care of, open up `~/.gnupg/gpg-agent.conf`
|
|
|
|
```
|
|
$ cat ~/.gnupg/gpg-agent.conf
|
|
enable-ssh-support
|
|
default-cache-ttl 60
|
|
max-cache-ttl 120
|
|
```
|
|
|
|
Now you'll need to append the following to `~/.bashrc`, or the appropriate
|
|
rc file for your shell
|
|
|
|
```
|
|
$ cat ~/.bashrc
|
|
export GPG_TTY="$(tty)"
|
|
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
|
|
gpg-connect-agent updatestartuptty /bye > /dev/null
|
|
```
|
|
|
|
Once that's done, you'll need to let `gpg-agent` know which GnuPG subkey
|
|
to use for SSH authentication. Run the following and copy the keygrip
|
|
associated with the subkey you've generated specifically for authentication.
|
|
Don't use *my* keygrip, however. The output here is just for an example. `GnuPG`
|
|
computes the keygrips from the public key, so nothing here is sensitive
|
|
or private.
|
|
|
|
```
|
|
$ gpg --with-keygrip -k ben@gbmor.dev
|
|
pub rsa4096/0xEAB272409CD12FF0 2018-11-25 [SC]
|
|
Key fingerprint = 291A AFF7 A291 7DAB 0E01 6B9C EAB2 7240 9CD1 2FF0
|
|
Keygrip = DE06FAA273017BBD8778F94639611CEF53AB9EBC
|
|
uid [ultimate] Ben Morrison <ben@gbmor.dev>
|
|
sub rsa4096/0xF9C3B650612249D9 2018-11-25 [E]
|
|
Keygrip = 751ADAC109736316B6ABEBB3F2BDF4612F8A630C
|
|
sub rsa4096/0x4969E5731CFEB507 2018-11-25 [A]
|
|
Keygrip = 44D1BDC0C1931E2E018E7CE49CDE14BFB4EA11E3
|
|
sub rsa4096/0x8F192E4720BB0DAC 2018-11-25 [S]
|
|
Keygrip = 240966CBF2791D8C34D0DA646925435FED49F9BF
|
|
```
|
|
|
|
Now, open `~/.gnupg/sshcontrol` and paste the keygrip into that file.
|
|
It's the keygrip just below the key marked `[A]` for authentication.
|
|
Verify that the correct keygrip has been selected by running these two
|
|
and comparing the output:
|
|
```
|
|
$ ssh-add -L
|
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCakJKfXUuX/ZDxJQySdxCeQfxTu0g
|
|
KPCESGDyadvFAPDxtcTfOrxfqJLZx8CodkC7hzHT/QEy/xMgN18Q== cardno:000609861127
|
|
```
|
|
```
|
|
$ gpg --export-ssh-key <keyid>
|
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCakJKfXUuX/ZDxJQySdxCeQfxTu0g
|
|
KPCESGDyadvFAPDxtcTfOrxfqJLZx8CodkC7hzHT/QEy/xMgN18Q== openpgp:0x1CFEB507
|
|
```
|
|
The `ssh` output should match the `gpg` output (except maybe the little
|
|
trailing comment, like here). Also, I've removed most of the public key I'm using as
|
|
an example for brevity's sake. It should be quite a bit longer than this.
|
|
If `ssh` is correct, kill off `gpg-agent`
|
|
```
|
|
$ pkill gpg-agent
|
|
```
|
|
|
|
Then open up a new terminal and attempt to connect to a server!
|
|
|
|
[back](/)
|