Using PGP Keys for SSH on Fedora
I learned recently that PGP keys can be used for SSH authentication. This is quite convenient because if you’re already managing a PGP key to sign git commits (hint: you should probably be doing this), then you’ll have one less key to manage. As a bonus, if you’ve added your PGP public key to Github you can immediately use a subkey with authentication privileges to pull and push to your repositories over SSH.
This has been documented extensively else where, but the gist of the idea is
that gpg-agent
can act as an OpenSSH compatibly SSH agent (the program used
to store and manage SSH keys). If you launch gpg-agent
as follows:
$ eval $(gpg-agent --daemon --enable-ssh-support)
SSH will use your PGP keys to authenticate. Run ssh-add -L
to list the
available keys to verify SSH found them. You should see keys of the form
openpgp:{key-id}
or cardno:{card-id}
if you’re using a Smart Card like
Yubikey.
The only problem, is that on Gnome based systems there is already an SSH agent
running, namely Gnome Keyring. Most tutorials suggest
disabling this to some degree, but that isn’t actually necessary. Moreover,
I’ve found that Gnome will just complain that the keyring hasn’t started and
keeping asking me to authenticate to it when I’ve tried these methods. We just
need to make sure SSH finds the agent gpg-agent
is running instead of the one
Gnome Keyring is running. How does SSH find its agent? The SSH_AUTH_SOCK
environment variable.
Alright so here is the low down. To start, enable the gpg-agent
systemd user
sockets to make sure the agent is enabled on start up.
$ systemctl --user enable --now gpg-agent.socket
$ sytsemctl --user enable --now gpg-agent-ssh.socket
Then, update SSH_AUTH_SOCK
in your bashrc
(or equivalent).
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
That’s it! Now if you’re lucky enough to have your PGP keys on a Yubikey, you can completely remove all private keys from your laptop. A perfect example of security in depth.
More Reading
Wanna learn more? Here are some more articles: