2021-06-17
So apparently you can use GPG to provide SSH keys. Who knew! It’s useful if you need to use OpenPGP-compatible security keys or smart cards with SSH. (e.g. nitrokey, librem key, yubikey)
You will need to use gpg-agent as an SSH agent.
gpg-agent
configurationIt first needs configuring to do so (it fails pretty late if you don’t configure this, so set it now to avoid difficult-to-debug hedaches).
You can either edit ~/.gnupg/gpg-agent.conf manually,
adding this:
enable-ssh-support…or, you can use the gpgconf utility, which seems to be
the “proper way”. As is traditional for GPG tools, it has the most
arcane possible syntax for the task at hand:
echo enable-ssh-support:0:1 | gpgconf --change-options gpg-agentYou will need to install pcscd and run it (or enable its
socket in systemd). It is part of the pcsclite package on
arch linux.
It seems like there are also other compatible smart card daemons,
such as scdaemon, which seem to work equally well.
It requires a bit of environment setup. I prefer the original ssh
agent for now (I don’t trust gpg-agent with importing my keys, because
online the consensus seems to be that nobody has any clue where they’re
copied to or how to change their password). So to keep the original
ssh-agent usable while also using gpg-agent
for ssh sometimes, I have created a
script that will set up the necessary environment to run ssh with
gpg’s agent. It launches a gpg-agent (implicitly) and sets the agent’s
tty to the current one. Not sure exactly what that does but apparently
it’s necessary sometimes.
The script will launch whatever command you give to it,
e.g. ssh-gpg ssh server or ssh-gpg ssh-add -L.
This means you can keep your normal ssh-agent setup active while still
using this script.
Some setups prompt for a pin through the terminal. That seems like a bad idea if you’re ever going to use ssh agent forwarding. Probably best to use GUI pin entry where possible.
Updated 2021-12-15.