Ssh – gpg-agent refuses SSH keys with ssh-add reporting “agent refused operation”

gpg-agentopensshssh-agent

I'm using openssh7.5p1 and gnupg 2.1.21 on arch linux (these are the default versions that come with arch). I would like to use gpg-agent as an ssh agent. I put the following in my ~/.gnupg/gpg-agent.conf:

pinentry-program /usr/bin/pinentry-qt
enable-ssh-support

Arch automatically starts a gpg-agent from systemd, so I set

export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"

When I run ssh-add -l, it reports no identities and ps reports a gpg-agent --supervised process as I would expect.

Unfortunately, when I run ssh-add, no matter what the key type, it doesn't work. Here is an example of how I tried dsa:

$ ssh-keygen -f testkey -t dsa -N ''
Generating public/private dsa key pair.
Your identification has been saved in testkey.
Your public key has been saved in testkey.pub.
$ ssh-add testkey
Could not add identity "testkey": agent refused operation

All other gpg functions work properly (encrypting/decrypting/signing). Also, the keys I generate work fine if I use them directly with ssh, and they work properly if I run the ssh-agent that came with openssh.

The documentation says that ssh-add should add keys to ~/.gnupg/sshcontrol, but obviously nothing is happening.

My question: What's the easiest way to load a key generated by openssh's ssh-keygen into gpg-agent, and can someone please cut and paste a terminal session showing how this works?

Best Answer

The answer was apparently to run:

echo UPDATESTARTUPTTY | gpg-connect-agent

I have no idea why the pinentry program worked fine for other uses such as decrypting files, but didn't work for ssh-add.

While this now works, it also makes a copy of the ssh private key that doesn't show up under gpg -Kv, and furthermore doesn't seem to allow you to change the passphrase on your private key (since you can't edit it with --edit-key). Basically I'm pretty unhappy with the way gpg-agent provides low visibility into where your secrets are being copied. If you hit this question because you hoped gpg-agent might be a better alternative to ssh-agent, then I'd encourage you to stick to ssh-agent instead of trying out my answer. The main reason to prefer gpg-agent is if you need to for smart-card use.

Getting GPG working with SSH.

You've done the first step, enabling-ssh-support in your gpg-agent.conf

But, you haven't supplied any PGP keys to use. In order to use PGP keys with ssh, you've got to export the public key in ssh format and add that to your remote host's ~/.ssh/authorized_keys file. Then add the keygrip of the private key to the file ~/.gnupg/sshcontrol.

To export a PGP public key as ssh:

$gpg -a --export-ssh-key [keyid]

To view a PGP keygrip: $gpg --with-keygrip --list-secret-keys [keyid]

I usually create a suitable subkey for use with SSH. If you are using GPG 2.2.1 then you can even use ED25519.

$gpg --expert --edit-key [keyid]
    gpg> addkey
        Option 11 for ECC
        Option A to add authentication
        Option 1 for Curve 25519
        Expire never
        Create yes
    gpg> save

Then export just the authentication subkey:

$gpg -a --export-ssh-key [auth subkeyid]!

The exclamation point selects just the indicated subkey.

You will also need to make sure the environment variables are set in your ~/.bashrc ... If you are running an Xwindow client, this is usually done for you via /etc//X11/Xsession.d/90gpg-agent with the following bash script:

agent_sock=$(gpgconf --list-dirs agent-socket)
export GPG_AGENT_INFO=${agent_sock}:0:1
if [ -n "$(gpgconf --list-options gpg-agent | \
      awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then
    export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
fi

Once you've ensured the environment variables are set, any keygrips added to the ~/.gnupg/sshcontrol file will appear as authentication keys in the ssh-agent when you list the available identities:

$ssh-add -l

Note, you can change the shown hash via the -E option to show MD5 or SHA256.

Configuring SSH to use certificates

This is a rather complex question. Red Hat has a detailed walkthrough here:

Redhat SSH CA Tutorial

End

It's unclear if it's possible to use PGP keys as the SSH CA keys. I haven't tried that myself. However, I do use PGP keys on the client side. I find that it makes life very easy and is less cumbersome to manage SSH identities than using ssh-genkey generated keys.

SSH – Pinentry Fails with GPG-Agent and SSH

Well, this worked for me:

export GPG_TTY=`tty`

add this to your .bashrc or just kick it before using gpg.

Best Answer

Related Solutions

SSH + Certificate Authority server

Getting GPG working with SSH.

Configuring SSH to use certificates

End

SSH – Pinentry Fails with GPG-Agent and SSH

Related Question