Ask Your Question

Use GPG smartcard for SSH logins

asked 2017-02-03 09:14:14 -0500

AquaL1te gravatar image


This is not really a question, more like a sanity check to see if this setup could be improved or not. I have a Yubikey with my GnuPG keys on it and I want to use the authenticate key for SSH purposes. I managed to get it working by doing the following things (this only goes into the setup of gpg-agent with SSH, not the setup of the smartcard).

Add the following entries to ~/.gnupg/gpg-agent.conf (the ttl lines are optional of course):

default-cache-ttl 60
max-cache-ttl 120

Disable the ssh-agent that comes with GNOME by doing:

cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/.
mkdir -vp ~/.config/autostart
echo 'Hidden=true' >>  ~/.config/autostart/gnome-keyring-ssh.desktop

Now the ssh-agent shouldn't start when you start your GNOME session. But other applications can still spawn the process e.g. a git clone or an ssh or whatever. I created a systemd service unit file to make sure the gpg-agent loads and takes ownership of the SSHAUTHSOCK variable. Here it is:

mkdir -vp ~/.config/systemd/user
cat <<EOF >> ~/.config/systemd/user/gpg-agent.service
> [Unit]
> Description=GnuPG Agent
> IgnoreOnIsolate=true
> [Service]
> Type=forking
> Environment=SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh
> ExecStart=/usr/bin/gpg-agent --homedir %h/.gnupg --enable-ssh-support --daemon
> ExecStartPost=/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=${SSH_AUTH_SOCK}
> [Install]
systemctl --user daemon-reload
systemctl --user enable gpg-agent.service
echo 'eval $(systemctl --user show-environment | grep SSH_AUTH_SOCK); export SSH_AUTH_SOCK' >> ~/.bash_profile

I read that Wayland will in the future read out systemd exported variables, so then the .bash_profile entry could be removed. Now when you reboot (or restart your session, but reboot might be best), insert your Yubikey and run ssh-add -l you should see your RSA identity from your smartcard (Yubikey).

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2017-07-11 10:48:49 -0500

jjelen gravatar image

But other applications can still spawn the process e.g. a git clone or an ssh or whatever.

These applications do not spawn ssh-agent processes. They only connect to already running agents.

Otherwise it sounds good to me if you wish to use gpg-agent. But note, that even the stock ssh-agent can already make use of the smart cards using ssh-add -s /usr/lib64/pkcs11/ (or the respective path to the PKCS#11 provider).

edit flag offensive delete link more

Question Tools

1 follower


Asked: 2017-02-03 09:13:09 -0500

Seen: 930 times

Last updated: Feb 03 '17