Using GPG agent for SSH authentication

GPG can be used as SSH agent, which allows you to store your keys on a smartcard rather than on a (easy to compromise) computer. This is how it's done.

I'm assuming the smartcard is already set up. To try, ask GPG to print out information about the smartcard:

gpg --card-status

Set up the server side

Register your key on the machine you want to log in to.

gpgkey2ssh $KEYID | ssh user@host 'cat >> .ssh/authorized_keys2'

(You may want to use an intermediate file if you need further editing to the list of authorized keys, e.g. for restriction on what they key is allowed to do.)

Set up the client side

Enable SSH support in GPG agent

echo enable-ssh-support >> $HOME/.gnupg/gpg-agent.conf
gpg-connect-agent /bye  # restart agent

In your shell, set the SSH agent environment variables, so that SSH knows how to talk to the GPG agent. (This is also documented in the gpg-agent man page.)

export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh

You may want to put this into your .bashrc.

Is this even a good idea?

Some relevant questions:

You can compare the source code here: