7

I have a Yubikey 4 and I want to use my GPG keys stored on this to authenticate to SSH servers.
I want to use GitHub for a start. I have already added my GPG authentication key to GitHub.

My problem is that when I ssh, my agent doesn't use this key. I've checked by trying to connect to my VPS with ssh -v but it skips my GPG key. My Yubikey is plugged in and gpg2 --card-status shows all the details. I am able to sign and decrypt fine as well as use the other features of the Yubikey.

The ssh ouput

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/wilhelm/.ssh/id_rsa
debug1: Trying private key: /home/wilhelm/.ssh/id_dsa
debug1: Trying private key: /home/wilhelm/.ssh/id_ecdsa
debug1: Trying private key: /home/wilhelm/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).

I have disabled gnome password manager.

I've looked at Connecting SSH and Git to gpg-agent and followed the suggestion, but it doesn't seem to be working.

╰─ ssh-add -l
Could not open a connection to your authentication agent.

╰─ ps aux | grep gpg-agent
wilhelm  26079  0.0  0.0  20268   980 ?        Ss   20:57   0:00 gpg-agent --daemon --enable-ssh-support --sh
wilhelm  31559  0.0  0.0  12724  2184 pts/1    S+   22:49   0:00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn gpg-agent
Improve this question
6
  • what is the command you are trying to connect?
    – Jakuje
    Commented Dec 17, 2015 at 19:49
  • ssh -v wilhelm.co.za
    – Wilhelm Erasmus
    Commented Dec 17, 2015 at 19:53
  • Do you have connection to your agent available? What does ssh-add -l outputs?
    – Jakuje
    Commented Dec 17, 2015 at 19:57
  • Oh sorry, I meant to add that to the question. Turns out I didn't. Editing now
    – Wilhelm Erasmus
    Commented Dec 17, 2015 at 20:21
  • when ssh can't open connection to your gpg-agent, it can't use it. It is obvious. You need to add --enable-ssh-support to your gpg-agent as described in the linked question. You need to have at least SSH_AUTH_SOCK environment variable, which should be generated by your agent. Common is to start the agent as eval $(gpg-agent --options).
    – Jakuje
    Commented Dec 17, 2015 at 20:30

1 Answer 1

Reset to default
6

ssh can't open connection to your gpg-agent if you will not give it the way to do so.

When you start your gpg-agent with --enable-ssh-support option, it prints out environmental variables that needs to be available in the shell where from you will be using your ssh. There are few possibilities how to get them:

  • Stop your gpg-agent and start it once more in like this in the shell where from you are using your ssh (this should be the easiest way to test it):

    eval $(gpg-agent --daemon --enable-ssh-support --sh)

  • Find the location of authentication socket and set up the environment variable SSH_AUTH_SOCK by hand

Later on, when you will know that it works, you should set up the agent start according to the manual page for gpg-agent(1), so probably in ~/.xsession to let it start automatically.

Improve this answer
7
  • Thanks man, It works perfectly :). Followed so many tutorials but none of them suggested this explicitly.
    – Wilhelm Erasmus
    Commented Dec 17, 2015 at 21:06
  • I'm just going to try restart and then I'll mark it as the answer
    – Wilhelm Erasmus
    Commented Dec 17, 2015 at 21:08
  • It worked fine with just the first bullet. After restart, it doesn't work(added to .xsession. So I just added the commands from the first bullet to my rc
    – Wilhelm Erasmus
    Commented Dec 17, 2015 at 21:15
  • And is gpg-agent running? What exactly does not work? We went through quite many steps of troubleshooting, you can do now on your own.
    – Jakuje
    Commented Dec 17, 2015 at 21:19
  • pkill -9 gpg-agent eval $(gpg-agent --daemon --enable-ssh-support --sh) in my rc makes ssh work
    – Wilhelm Erasmus
    Commented Dec 17, 2015 at 21:21

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .