How do I automatically start gpg-agent for use with ssh?

anders's Avatar

anders

11 Dec, 2012 07:00 PM

I seem unable to figure this one out myself so I could use some assistance. I want to use gpg for authenticating with ssh. I have made this work when I run everything, including gpg-agent, from a console, just to be clear that this is not a question about how to use gpg-agent with ssh in itself.

What I'd like to accomplish is having gpg-agent start automatically (Or upon login if that is easier), and be available for all applications, not just the ones launched from that console window. All the tutorials I've been able to find through Google assumes that such programs are started in a way very differently from how OSX does it.

It seems that in a previous version of gpgtools, there was support for running gpg-agent from launchd, which I assume would've solved my problem but from what I've gathered, this is no longer supported. What is the "correct" way of doing what I want to do now?

  1. Support Staff 1 Posted by Luke Le on 11 Dec, 2012 07:11 PM

    Luke Le's Avatar

    Hi Anders,

    if you have MacGPG2 > 2.0.17 the gpg-agent is started on demand and I think that should work for you.

    You might wanna download the MacGPG 2.0.19 installer from our nightly page at https://nightly.gpgtools.org

    Let us know if that works!

  2. 2 Posted by anders on 11 Dec, 2012 07:18 PM

    anders's Avatar

    Thank you for the quick response.

    When I type "ssh [email blocked]", how would gpg-agent get launched?

    Also, I'm using version 2.0.19 according to gpg --version, which I got from the installer available to donors, should I still install the nightly build?

  3. Support Staff 3 Posted by Luke Le on 11 Dec, 2012 07:22 PM

    Luke Le's Avatar

    Aah ok, I think I misunderstood you before.
    I'll have a look into it and let you know when I know more.

    If you have 2.0.19 already there's no need to update.

  4. Support Staff 4 Posted by Luke Le on 11 Dec, 2012 07:35 PM

    Luke Le's Avatar

    First you need to ensure that the enable-ssh-support option is added to your gpg-agent.conf

    Do this by running the following command

    echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
    

    And then create a ~/.profile file with the following commands

    gpg-agent --daemon --enable-ssh-support \
          --write-env-file "${HOME}/.gpg-agent-info"
    if [ -f "${HOME}/.gpg-agent-info" ]; then
       . "${HOME}/.gpg-agent-info"
      export GPG_AGENT_INFO
      export SSH_AUTH_SOCK
      export SSH_AGENT_PID
    fi
    
    GPG_TTY=$(tty)
    export GPG_TTY
    

    If a gpg-agent is already running a new one will NOT be started, but otherwise it takes care of starting it for you.

  5. 5 Posted by anders on 11 Dec, 2012 07:54 PM

    anders's Avatar

    This will only work for console applications though, won't it? I have a few graphical applications which uses ssh, specifically coda. It would be a nice-thing(tm) if they also were able to use gpg-agent, which would require them to be aware of the environment variables exported in the code snippet above.

    Looking further into it, it seems OSX does a bit of trickery with ssh-agent to make this work. It creates a temporary socket and launches ssh-agent only when the socket is accessed. I assume ssh-agent has some special code in it from Apple to handle this.

    I notice that gpg-agent actually has a --launchd switch too though, does it support similar behavior?

  6. Support Staff 6 Posted by Luke Le on 11 Dec, 2012 09:52 PM

    Luke Le's Avatar

    Once the gpg-agent is properly setup to use the ssh keys I think all of this should work automatically.

    Not sure however if the way Coda creates the SSH connection however is compatible with the gpg-agent since if I'm not mistaken, they don't use the ssh binary but use a custom library with SSH capability built in.

  7. 7 Posted by anders on 12 Dec, 2012 10:49 AM

    anders's Avatar

    Having tried the solution given above for some time, it doesn't seem to work as intended.

    If I close the console window, then start a new one, gpg-agent will not be used. gpg-agent is running and the environment variables are set correctly. It just simply doesn't work. :)

  8. Support Staff 8 Posted by Luke Le on 12 Dec, 2012 10:51 AM

    Luke Le's Avatar

    I think it's necessary if we start from the very beginning here again :)
    What have you done so far to have gpg-agent working with your ssh keys?

    Best would be a step by step guide of what you did, so I can try to follow along and help you better debug this.

  9. 9 Posted by anders on 12 Dec, 2012 11:05 AM

    anders's Avatar

    Hmm, it has become quite a few steps now, let's see... :-)

    • I've created an authentication subkey in GnuPG.
    • gpgkey2ssh is used on the authentication key and the output is put in authorized_keys on the ssh server.
    • I've put the code snippet above in my .profile file. I've verified that it runs correctly.
    • ssh myserver.com will then, when run from the console window that first spawned gpg-agent (Through the .profile code above) causes gpg-agent to ask me for my pin, and seems to work fine.

    If this window is closed and a new one opened, it reads the environment file written by the initial run of .profile and sets the environment variables from it. gpg-agent is still running at this point, but will refuse to serve any applications even though they seem to have the correct environment variables.

    I think I'm just going to give up on the ssh authentication project for now and revisit it later. I feel I need to learn more about the basics of GnuPG before I venture into advanced territory. :-)

  10. Support Staff 10 Posted by Luke Le on 12 Dec, 2012 11:25 AM

    Luke Le's Avatar

    What you're doing looks all correct so far, one question though, why not simply use ssh keys for the pub key authentication?

  11. 11 Posted by anders on 12 Dec, 2012 11:28 AM

    anders's Avatar

    Because I like exploring new possibilities. Even if they don't always work out quite like I had originally hoped.

    But like I said, I'm probably going to stick with ssh keys for now.

  12. 12 Posted by anders on 12 Dec, 2012 11:34 AM

    anders's Avatar

    I'll just close this discussion. I really appreciate the very quick responses you guys have given me. :)

  13. anders closed this discussion on 12 Dec, 2012 11:34 AM.

  14. Luke Le re-opened this discussion on 12 Dec, 2012 11:38 AM

  15. Support Staff 13 Posted by Luke Le on 12 Dec, 2012 11:38 AM

    Luke Le's Avatar

    Now where's the fun in that!
    I've just found an article which might give more insight.
    Reading through it as we speak

  16. 14 Posted by anders on 12 Dec, 2012 11:44 AM

    anders's Avatar

    While there are quite a few articles on the subject of ssh authentication with GnuPG, they all seem to make the assumption that you run Linux, which allows you to share gpg-agent in a much easier way between applications than what OSX does.

  17. Support Staff 15 Posted by Luke Le on 12 Dec, 2012 12:02 PM

    Luke Le's Avatar

    Alright, so basically let's follow this guide and I will try to find a way to use monkeysphere subkey_to_ssh_agent without actually having to install monkeysphere since it seems very linux centric.

    http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key

  18. Steve closed this discussion on 20 Jan, 2013 08:00 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac