Use GPG smartcard for SSH logins
Hi,
This is not really a question, more like a sanity check to see if this setup could be improved or not. I have a Yubikey with my GnuPG keys on it and I want to use the authenticate key for SSH purposes. I managed to get it working by doing the following things (this only goes into the setup of gpg-agent with SSH, not the setup of the smartcard).
Add the following entries to ~/.gnupg/gpg-agent.conf (the ttl lines are optional of course):
enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120
Disable the ssh-agent that comes with GNOME by doing:
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/.
mkdir -vp ~/.config/autostart
echo 'Hidden=true' >> ~/.config/autostart/gnome-keyring-ssh.desktop
Now the ssh-agent shouldn't start when you start your GNOME session. But other applications can still spawn the process e.g. a git clone or an ssh or whatever. I created a systemd service unit file to make sure the gpg-agent loads and takes ownership of the SSHAUTHSOCK variable. Here it is:
mkdir -vp ~/.config/systemd/user
cat <<EOF >> ~/.config/systemd/user/gpg-agent.service
> [Unit]
> Description=GnuPG Agent
> IgnoreOnIsolate=true
>
> [Service]
> Type=forking
> Environment=SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh
> ExecStart=/usr/bin/gpg-agent --homedir %h/.gnupg --enable-ssh-support --daemon
> ExecStartPost=/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=${SSH_AUTH_SOCK}
>
> [Install]
> WantedBy=default.target
> EOF
systemctl --user daemon-reload
systemctl --user enable gpg-agent.service
echo 'eval $(systemctl --user show-environment | grep SSH_AUTH_SOCK); export SSH_AUTH_SOCK' >> ~/.bash_profile
I read that Wayland will in the future read out systemd exported variables, so then the .bash_profile entry could be removed. Now when you reboot (or restart your session, but reboot might be best), insert your Yubikey and run ssh-add -l you should see your RSA identity from your smartcard (Yubikey).
