So I've been trying to get my GnuPG card to work with ssh authentication, but I can't seem to get it to work. As there are quite a few success stories out there, I'm probably missing something, or doing something stupid, so I'd appreciate any pointers.
This is a largely underdocumented feature, which is one reason I'm writing out all the steps here in one place. First of all, my card has subkeys only on it, though there is a full corresponding public key on my computer. Also, I'm using: gpg (GnuPG) 2.0.14 libgcrypt 1.4.4 Here are the steps I'm doing: I start up gpg-agent like so: $ eval `gpg-agent --enable-ssh-support --daemon` ..and check that my environment variables are pointed at the right PID, and that ssh-agent is not running: $ ps ax |egrep 'AGENT|SSH' (they are..) I edit my key, and make a subkey with the 'A' (authentication) flag: $ gpg2 --expert --edit-key C3C297C1 Command> addkey (toggle for authentication only) Afterwards, I have a subkey and corresponding secret key that looks like so: sub 1024R/3B70AC3E created: 2011-02-26 expires: never usage: A ssb 1024R/3B70AC3E created: 2011-02-26 expires: never Next, I add the key to the card: Command> toggle Command> key x (where x is the number corresponding to my secret auth subkey) Command> keytocard I verify that the key is indeed on the card: $ gpg2 --card-status ... Authentication key: 4B01 B8E3 F5FE 4B2F A295 710F E151 A452 3B70 AC3E ... Finally, I attempt to add the key to gpg-agent. I read this should automatically detect the auth key on the card, adding it to sshcontrol and such: $ ssh-add -l The agent has no identities. This is where I get stuck, I think. My debug log clearly shows ssh-add querying the card, with this output: gpg-agent[29524]: ssh handler 0x1ebe840 for fd 7 started gpg-agent[29524]: ssh request 1 is not supported gpg-agent[29524]: ssh request handler for request_identities (11) started gpg-agent[29524]: new connection to SCdaemon established (reusing) gpg-agent[29524]: no suitable card key found: No public key gpg-agent[29524]: ssh request handler for request_identities (11) ready gpg-agent[29524]: ssh handler 0x1ebe840 for fd 7 terminated I'm thinking the problem may lay in this "No public key" error.. In any case, I undertsand the next step is to get the ssh-ified version of the key, adding to to ~/.ssh/authorized_keys on the remote host: $ gpgkey2ssh 3B70AC3E > file_to_upload (file_to_upload is scp'd over to remote host in correct location..) (I sohuld also note gpgkey2ssh is in dire need of documentation and proper error handling.) sshing into my host at this point, ssh fails to recognize I have a key at all (although does attempt to send the empty ~/.ssh/id_dsa and id_rsa), and falls back to a password login. My GnuPG card has been working fine with signing and encryption subkeys, so I'm not suspecting a card communication error here.. Thanks! -- Brady Young <br...@frogandbear.net> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
