Using GPG agent for SSH authentication
GPG can be used as SSH agent, which allows you to store your keys on a smartcard rather than on a (easy to compromise) computer. This is how it's done.
I'm assuming the smartcard is already set up. To try, ask GPG to print out information about the smartcard:
gpg --card-status
Set up the server side
Register your key on the machine you want to log in to.
gpgkey2ssh $KEYID | ssh user@host 'cat >> .ssh/authorized_keys2'
(You may want to use an intermediate file if you need further editing to the list of authorized keys, e.g. for restriction on what they key is allowed to do.)
Set up the client side
Enable SSH support in GPG agent
echo enable-ssh-support >> $HOME/.gnupg/gpg-agent.conf gpg-connect-agent /bye # restart agent
In your shell, set the SSH agent environment variables, so that SSH
knows how to talk to the GPG agent. (This is also documented in the
gpg-agent
man page.)
unset SSH_AGENT_PID export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh
You may want to put this into your .bashrc
.
Is this even a good idea?
Some relevant questions:
- Do you trust
gpg-agent
more thanssh-agent
?- Do you trust it enough to tunnel it to remote hosts? (If you're using SSH agent forwarding)
- Do you want to plug in your PGP keys and enter the PIN when doing SSH autentication? (If you're storing them on the same card; avoiding unnecessary exposure seems like a good idea.)
You can compare the source code here: