I'm running a YubiKey NEO with the OpenPGP applet to store my GPG keys on the smart card. I've stopped all other SSH and GPG agents manually by removing their startup entries (On elementary OS Luna, Ubuntu 12.04).
I've then started the scdaemon
process, making sure that its environment variable is exported:
$ scdaemon --daemon
SCDAEMON_INFO=/tmp/gpg-zKwfGU/S.scdaemon:13142:1; export SCDAEMON_INFO;
$ SCDAEMON_INFO=/tmp/gpg-zKwfGU/S.scdaemon:13142:1; export SCDAEMON_INFO;
I then started the gpg-agent
process, again making sure that the environment variables are exported:
$ gpg-agent --enable-ssh-support --daemon --write-env-file "${HOME}/.gpg-agent-info"
GPG_AGENT_INFO=/tmp/gpg-9UaXHX/S.gpg-agent:13322:1; export GPG_AGENT_INFO;
SSH_AUTH_SOCK=/tmp/gpg-WAYxYZ/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
SSH_AGENT_PID=13322; export SSH_AGENT_PID;
$ GPG_AGENT_INFO=/tmp/gpg-9UaXHX/S.gpg-agent:13322:1; export GPG_AGENT_INFO;
$ SSH_AUTH_SOCK=/tmp/gpg-WAYxYZ/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
$ SSH_AGENT_PID=13322; export SSH_AGENT_PID;
I now go to connect to my SSH server:
$ ssh [email protected]
Permission denied (publickey).
Weird.
If I try running the ssh
process from gpg-agent
like so, it just works™:
$ gpg-agent --enable-ssh-support --daemon ssh [email protected]
It prompts me for my PIN using pinentry
, just as expected, and the connection succeeds.
What am I missing in order to be able to use my smart card as an SSH key, seamlessly? Is there a way to make sure that I don't have to prefix calls to ssh
with gpg-daemon
? I know I could make a Bash alias, but I don't think that really solves the problem.
Update
I've found that a part of the problem is that gpg-agent
starts on its own without --enable-ssh-support
, which seems to be a part of the problem. I don't see it in Startup Applications inside of the System Control Panel, but it starts on its own as my login user. It's not inside of /etc/xdg/autostart
. Where can I find this and disable it? In my startup applications in the meantime, I just run:
killall -9 gpg-agent && gpg-agent --enable-ssh-support --daemon \
--sh --write-env-file=$HOME/.gpg-agent-info
I then source that file and export its environment variables and it just works.
My ~/.gnupg/gpg-agent.conf
already contains a line enable-ssh-support
, but it seems to not be having an effect.
How can I stop the other gpg-agent
process from starting on login?
ssh-add the/identity/file
and then 3) use ssh. It should use the pubkey from gpg-agent that was loaded with ssh-add. IIRC ssh does not ask the ssh-agent to add new keys but only if a key is available.