gpg-agent and SSH: No keys
I see two problems with your setup:
-
However, I borrowed and used the
.init
script from this blog (in lieu of editing my Xprofile).The init script from that blog post is outdated (i.e., for versions of GnuPG prior to 2.1). Don't use it.
-
Edit: Upon doing
set | grep SSH_AUTH_SOCK
, I get:SSH_AUTH_SOCK=/run/user/1000/keyring-PLDuNs/ssh
However, upon trying to cat this file, I get a No such device or address error. However, I'm not sure if this is relevant or just user error by expecting a return.
You're using the wrong SSH auth socket.
For a source on these claims, consult the official documentation. For a straight fix, see Jens Erat’s outline of the process on the Unix StackExchange. Copied here for convenience:
- enable the
ssh-agent
protocol by addingenable-ssh-support
to~/.gnupg/gpg-agent.conf
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh
; you might want to do that in your~/.profile
- kill
ssh-agent
if started and reloadgpg-agent
(gpg-connect-agent reloadagent /bye
)export and add your public key to target servers (
ssh-add -L
should now contain the familiar SSH public key line for your OpenPGP key)Editor's Note: This step can be simplified by adding the key's ‘keygrip’ value to
~/.gnupg/sshcontrol
and then authorizing it on the remote server withssh-copy-id
.ssh
to the target server as with a normal SSH key
Related videos on Youtube
Kaz Wolfe
Hello. You showed up in my review queue. You will be reviewed and re-tagged if necessary. Failure to comply may result in harm. Yes, I am a wolf. Awoo. IT director for a warehousing company, doing networking, systems, and support. My languages of choice are Java and Python. One of the six people who actually like MongoDB. Self-declared cybersecurity expert. If you need me, swing by the AskUbuntu General Room or contact me on Discord. If you want to talk to me over e-mail for some reason, shoot a message to the below listed address. Please don't spam me. Notable Achievements Wrote WolfBot. And abandoned it. And then went back to working on it. And then archived it to go work on Discord chatbots Played video games Managed to nuke an entire Linux install, live. And then fix it, live. Reddit. Operate DIY Tech, a partnered Discord server. Honestly not much. I'm pretty boring. Contact Information PGP Key: 2588 13F5 3A16 EBB4 (Keybase Enabled) Discord: KazWolfe#2896 E-mail: (username)@linux.com
Updated on September 18, 2022Comments
-
Kaz Wolfe over 1 year
I'm trying to enable SSH authentication through my GPG subkey, using this tutorial. However, I borrowed and used the
.init
script from this blog (in lieu of editing my Xprofile).However, I'm getting a very peculiar error message:
┌─[12:53:49]─[user@pc] └──> ~ $ ssh-add -l gpg-agent[7659]: ssh handler 0xABCD1234 for fd 5 started gpg-agent[7659]: ssh request 1 is not supported gpg-agent[7659]: ssh request handler for request_identities (11) started gpg-agent[7659]: no running SCdaemon - starting it gpg-agent[7659]: DBG: first connection to SCdaemon established gpg-agent[7659]: no authentication key for ssh on card: Card error gpg-agent[7659]: /home/user/.gnupg/sshcontrol:4: key '[keygrip from auth key]' skipped: No such file or directory gpg-agent[7659]: ssh request handler for request_identities (11) ready The agent has no identities. gpg-agent[7659]: ssh handler 0xABCD1234 for fd 5 terminated
This, of course, makes no sense because I have never used a smartcard, nor do I think I have smartcard drivers installed.
Additionally, these GPG keys are valid and are imported. The key listed above also does have an authentication subkey.
I am running GnuPG version 2.1.1.
Is there any way to fix this, and (as a bonus), get my SSH keys working through GPG?
Contents of
~/.gnupg/sshcontrol
:# List of allowed ssh keys. Only keys present in this file are used # in the SSH protocol. The ssh-add tool may add new entries to this <keygrip from my auth key>
Edit: Upon doing
set | grep SSH_AUTH_SOCK
, I get:SSH_AUTH_SOCK=/run/user/1000/keyring-PLDuNs/ssh
However, upon trying to
cat
this file, I get aNo such device or address
error. However, I'm not sure if this is relevant or just user error by expecting a return.-
Jakuje over 8 yearsWhat do you have in your
/home/user/.gnupg/sshcontrol
? It looks like something broken there. -
Kaz Wolfe over 8 years@Jakuje Edited to show (censored) contents.
-
Jakuje over 8 yearsWhat are you trying to achieve in the first place? Why don't you use normal ssh keys and normal ssh-agent in the first place?
-
Kaz Wolfe over 8 years@Jakuje I'm trying to swap over to using my GPG authentication key for SSH logins from now on. And, when I eventually do move over to a smartcard, I'll be able to use that for SSH logins.
-
Jakuje over 8 yearsFair enough. I would like to give it a try some time also. Maybe tomorrow. For bonus, you can add the keys just using
ssh-add ~/.ssh/id_rsa
or where they are (if you don't have thegpg-agent
totally messed up). -
Jens Erat over 8 years
ssh-add -l
requestsgpg-agent
to list all available keys -- this includes checking a smartcard if there is one. It looks likegpg-agent
finds a smart card, but cannot talk with it. Try addingdisable-scdaemon
to~/.gnupg/gpg-agent.conf
and restartgpg-agent
. Don't forget to remove that option once you've got an OpenPGP smartcard. -
Kaz Wolfe over 8 years@JensErat I tried that, and it returns the same thing, just without the smartcard error.
-