Arch Linux - Using GPG for SSH Authentication
If you generate an authentication subkey for your GPG key, you can use it to authenticate with SSH just like a regular SSH keypair. This is especially useful if you already have a smartcard setup with your GPG keys. You can just use the same smartcard for your SSH authentication!
Setup
If you don't have SSH installed already:
pacman -S openssh
Setup GPG SSH Agent
Enable ssh support in your gpg agent conf:
echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf
You should also re-assign the SSH authentication socket to the GPG agent. You can do this in your session startup profile (.xprofile, for example):
# These are copied directly from gpg-agent manpages
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
Configuring your GPG authentication key for use with SSH
Get the keygrip for your authorization subkey:
gpg2 --with-keygrip -k <your-key-id>
Add the keygrip to ~/.gnupg/sshcontrol
.
Your key should now show up when you run ssh-add -l
.
Now you can get the public key for SSH use with ssh-add -L
:
ssh-add -L > id_rsa.pub
Use this key just as if it was generated with ssh-keygen
. When you require SSH auth, the GPG agent will take over and prompt you for authorization.