SSH and GnuPG

SSH authentication can be done using OpenPGP key. This article explain how.

Use gpg-agent for SSH-agent service

OpenSSH provides a command named ssh-agent. It handles user's SSH key.

There are alternatives for ssh-agent of OpenSSH for the service, such as GNOME Keyring, Seahorse, or gpg-agent. Those alternatives do same service as ssh-agent, possibly in a different way.

In case of using gpg-agent, we can use OpenPGP key to authenticate SSH access. This is our approach, because we want to use OpenPGP key.

To do that, create ~/.gnupg/gpg-agent.conf file with the following content.

enable-ssh-support

Note that we need to arbitrate programs which want to service as ssh-agent. We need to only enable gpg-agent to do the ssh-agent service.

For Debian Wheezy I do that:

  1. Disable original ssh-agent by commenting out use-ssh-agent line in /etc/X11/Xsession.options

  2. Don't install seahorse package

  3. Configure GNOME Keyring not to service as ssh-agent and gpg-agent by (remove radio check buttons for "GPG Password Agent" and "SSH Key Agent", in the tab of "Startup Programs"):

    $ gnome-session-properties

Using GnuPG's Authentication subkey for SSH

When you are using smartcard or token for GnuPG, it's just a configuration matter. Please skip to next section.

When you are using OpenPGP keys on your normal storage, please follow this instruction.

At first, you need to generate authentication subkey, and register it. Use "monkeysphere" program to do that. It's two steps:

$ monkeysphere gen-subkey
$ monkeysphere subkey-to-ssh-agent

First step is to add authentication subkey to your GnuPG primary key. (Instead, you can do that by GnuPG, using --edit-key with --expert option, but it's somewhat lengthy.)

Second step is to register those authentication subkeys under control of SSH agent service of gpg-agent. (If your GnuPG is development version 2.1.x, this step is not required.)

You can examine your key by:

$ gpg --edit-key <YOUR_ID>
[...]
gpg> quit
$

and you will see a subkey with "usage A" flag.

When you need this key in OpenSSH format, type:

$ gpgkey2ssh <YOUR-SUBKEY-ID-IN-UPPERCASE-HEXADECIMAL>

to get the public key information to be used for your ~/.ssh/authorized_keys on your remote server.

See the article Use OpenPGP Keys for OpenSSH (archive.org) too, where I got this knowledge.

Using OpenPGP card or Gnuk Token for SSH

When you're using smartcard or token, it's simpler, as it has an authentication subkey by default.

You just need to invoke gpgkey2ssh when you need the public key in OpenSSH format.

SSH host key and GnuPG

There is another problem; SSH host key. In the past, there was an experimental patch: openssh-gpg. Now, we have The Monkeysphere Project.

Note that The Monkeysphere Project covers not only for SSH but also web authentication.