SSH SmartCard authentication with MacGPG

robin's Avatar


27 Oct, 2013 03:11 PM

Hi there,
I'm running the latest version of MacGPG on OS X 10.9 (thanks for making this available so soon!!!)
I just purchased an OpenPGP SmartCard and moved all my subkeys to it, which appears to be working just fine for signing / encrypting even with the Mail plugin.
One other thing I'd now like to do is authenticate via SSH using the SmartCard, so I added this to ~/.gnupg/gpg-agent.conf:

I restarted the agent and even my Mac, but it seems like the key on the SmartCard isn't recognized by SSH. When running ssh-add -l I get this:
The agent has no identities.

I think it would be possible to add this using a PKCS#11 provider file, using ssh-add -s. However, I can't currently do this because I don't know whether such a PKCS#11 provider file exists in MacGPG and if this would even be the proper way for handling s issue.
Please, could someone advise me on how / if using a SmartCard for SSH authentication is possible on Mac OS?
Many thanks, keep up the amazing work!

  1. 1 Posted by ltning-gpgtools on 27 Oct, 2013 04:53 PM

    ltning-gpgtools's Avatar

    I've been doing this with both regular OpenPGP cards and with the Yubikey NEO (which has an openpgp "card" integrated). I've done it both using the GPGTools-bundled gnupg and with the one from (home)brew (gpg2).

    Some hints:
    --write-env-file ~/.gpg-agent-info
    to the startup parameters of gpg-agent, or add it to the gpg-agent.conf file. That way you just need to source that file (. ~/.gpg-agent-info) and export the needed variables (export SSH_AUTH_SOCK) for ssh to work.

    Then list the keys on your card, and use the ID of the authentication key with
    gpgkey2ssh <key ID>
    That's the public key you want to stick into the authorized_keys file on the remote server.

    Note that if you remove and re-insert your card/reader, scdaemon (part of gnupg) can be a bit fidgety, so just killall -9 scdaemon and re-insert the card if needed.

    If you choose to use home-brew's gnupg2 instead of the gnupg that ships with gpgtools, make sure you remove the latter, brew install gnupg2, and then add this to gpg-agent.conf:
    pinentry-program /Library/Frameworks/Libmacgpg.framework/Versions/B/Resources/

    I'll leave it as an exercise for the reader how to get gpg-agent to start automatically on login (personally I rely on simply opening a terminal at some point, as that will launch gpg-agent for me -- see my .profile below).


    gpg-agent --daemon --write-env-file "${HOME}/.gpg-agent-info"
    if [ -f "${HOME}/.gpg-agent-info" ]; then
       . "${HOME}/.gpg-agent-info"
      export GPG_AGENT_INFO
      export SSH_AUTH_SOCK
      export SSH_AGENT_PID

    export GPG_TTY

    . ~/.bashrc

  2. 2 Posted by robin on 28 Oct, 2013 06:53 PM

    robin's Avatar

    Hi there,
    thanks a lot for your instructions!
    I’ve tried, however the --write-env-file ~/.gpg-agent-info option has no effect on my system. I’ve tried killing and restarting the agent, however no file is created in my home directory… It almost seems like the option is being ignored, because I also tried calling gpg-agent with that option but still no luck, also no error or the like was given. I added the parameter (without the —) to my ~/.gnupg/gpg-agent.conf and then restarted my Mac to be 100% sure, but nothing happened :-(
    Any other ideas? I’m not sure what the Homebrew GPG you’re referring to is unfortunately, and am currently using the version of GnuPG provided with MacGPG.

  3. 3 Posted by ltning-gpgtools on 28 Oct, 2013 07:19 PM

    ltning-gpgtools's Avatar

    try without the ~ - use ${HOME} or simply full path to the file you want to create.

  4. 4 Posted by robin on 28 Oct, 2013 07:54 PM

    robin's Avatar

    Hey Eirik,
    oh wow, that was a complete no brainer on my end - sorry about that!!! Putting in the full path worked perfectly… I then followed your remaining instructions, and now this works beautifully :-)
    Many thanks!!!

  5. Support Staff 5 Posted by Steve on 28 Oct, 2013 09:27 PM

    Steve's Avatar

    Open Support platform as it should be :)

    Awesome community! Thanks Itning for your help.

    I'm closing this discussion. Robin, if you need further assistance or have questions you can re-open this discussion here or open a new one any time.

    Best, steve

  6. Steve closed this discussion on 28 Oct, 2013 09:27 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac