Using GPG for SSH Authentication

It's a fairly simply process to have gpg-agent handle your SSH authentication. To start off, you'll need to have a private GnuPG key generated with an appropriate subkey for authentication. Once that's taken care of, open up ~/.gnupg/gpg-agent.conf

$ cat ~/.gnupg/gpg-agent.conf
default-cache-ttl 60
max-cache-ttl 120

Now you'll need to append the following to ~/.bashrc, or the appropriate rc file for your shell

$ cat ~/.bashrc
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpg-connect-agent updatestartuptty /bye

Once that's done, you'll need to let gpg-agent know which GnuPG subkey to use for SSH authentication. Run gpg --with-keygrip -k <email> and copy the keygrip associated with the subkey you've generated specifically for authentication only. Now, open ~/.gnupg/sshcontrol and paste the keygrip into that file. Verify that the correct keygrip has been selected by running ssh-add -L and comparing it against the output of gpg --export-ssh-key <keyid>. If it's correct, kill off gpg-agent with killall gpg-agent, then open up a new terminal and attempt to connect to a server!

Back to Wiki