gpg authentication over ssh

Yubikeys are able to store your gpg private keys which allows you to perform encryption, signing, and authentication more securely since the private keys are only accessible from the Yubikey, when it’s plugged in.

Today I’ll explorer the authentication key. It’s possible to leverage your gpg authentication private key for ssh public key authentication. This mechanism allows passwordless authentication using the ssh protocol. Windows, Linux, and MacOSX have supported clients and this post will explorer how to achieve this.

Windows

In order to use the gpg authentication key to execute passwordless ssh logins you’ll first need to install gpg4win. When downloading this program, as an exercise I challenge you to also verify the integrity of your downloaded binary. With gpg4win installed, you’ll need to modify a number of configuration files. First, edit and append your authentication keygrip to the file %APPDATA%/gnupg/sshcontrol To find your keygrip issue,

> gpg --list-keys --with-keygrip

Next, open the file %APPDATA%/gnupg/gpg-agent.conf and append the below text to it,

enable-putty-support

You may also need to import your ssh-keys from the Yubikey. From the command line issue,

> gpg --card-edit
gpg/card> fetch

putty already has support for gpg-agent, which I believe is started by the Kleopatra applciation that handles gpg key management. This is all that needs to be done!

Ubuntu / Linux and MacOS X

The procedure for setting up gpg authentication over ssh on a Ubuntu is similar but has a few extra steps. Edit ~/.gnupg/gpg-agent.conf and add the below,

enable-ssh-support

Then edit, ~/.gnupg/gpg.conf and append,

use-agent

I also added the following to me ~/.bashrc file,

export GPG_TTY=`tty`
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh
gpg-connect-agent UPDATESTARTUPTTY /bye > /dev/null

Some useful commands

Starting gpg-agent – gpgconf --launch gpg-agent
Kill gpg-agent – gpgconf --kill gpg-agent