Using gpg for ssh (Maximum Portability)

Andrew Gallagher andrewg at andrewg.com
Fri Jun 23 12:33:21 CEST 2017


On 2017/06/21 18:17, Peter Lebbing wrote:
> On 18/06/17 03:48, Christopher Jones wrote:
>> It's a task to setup gpg on new boxes: Import pub key, ultimately trust
>> my key, and muck around with gpg and ssh agents.
> 
> Configuring gpg as an SSH agent for Linux in the easiest way is very,
> very distribution dependent. If you're lucky, it's a single switch
> somewhere. systemd, or Xsession, or something similar
For any linux distro that provides a recent gnupg 2.1, the easiest way
(not necessarily the Proper Way) is to put the following in your ~/.profile:

----
if [ -z "$SSH_CLIENT" ]; then
	export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh
	export GPG_AGENT_SOCK=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent
	gpg-connect-agent /bye
fi
----

$XDG_RUNTIME_DIR normally expands to /run/user/<UID>. For v2.0, the
default socket location is under ~/.gnupg, but otherwise the trick is
the same. Note the vital <if> statement that prefers a forwarded
ssh-agent over a local gpg-agent.

This avoids having to mess around with distro/gui-specific session
configurations, and also has the advantage that you can cut and paste it
onto the command line of a logged-in system. There is no need to disable
the vanilla ssh-agent - just override $SSH_AUTH_SOCK and nothing will
talk to it.

A


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170623/b43d9a9e/attachment.sig>


More information about the Gnupg-users mailing list