Use OpenPGP Keys for OpenSSH, how to use gpg with ssh

This is www.programmierecke.net, section howto, feedback to: segler_alex AT web DOT de
My test system is Ubuntu Lucid 10.04

Disable gnome keyring for GPG and SSH in Ubuntu 11.10

This applies to all things below if you are using Ubuntu 11.10.
To disable the keyring services you have to look at /etc/xdg/autostart. I just renamed "gnome-keyring-ssh.desktop" -> "gnome-keyring-ssh.nostart" and "gnome-keyring-gpg.desktop" -> "gnome-keyring-gpg.nostart"

Without smartcard

Further reading: http://web.monkeysphere.info/getting-started-user/

change agent to gpg-agent

you do not have to do this, but every other agent does need to register your key with it every session again.
gpg-agent remembers the once added key and you never have to register it again.
Not using gpg-agent, has the disadvantage of having to register the key every login-session with "monkeysphere s" again.

DON'T do this on ubuntu 10.04! ubuntu 10.04 uses a broken version of gpg-agent: 2.0.14. DON'T use this version on any other distribution. It will not work. gpg-agent has a bug in 2.0.14. (https://bugs.g10code.com/gnupg/issue1184, Bug on Launchpad) Use ssh-agent or gnome-keyring-daemon instead.
# install gpg-agent
apt-get install gnupg-agent

# deactivate gnome-keyring-daemon ssh-agent dropin-replacement, we want only gpg-agent
# VERY OLD versions of ubuntu (uses gconf settings for autostart)
gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh false
# newer ubuntu < 12.04 (uses xdg autostart)
echo "X-GNOME-Autostart-enabled=false" >> /etc/xdg/autostart/gnome-keyring-ssh.desktop
echo "X-GNOME-Autostart-enabled=false" >> /etc/xdg/autostart/gnome-keyring-gpg.desktop
# ubuntu >= 12.04 (uses upstart override)
echo manual >> ~/.config/upstart/gnome-keyring.override

# maybe you have to deactivate ssh-agent too,
# if you are using some older ubuntu version, or ssh-agent keeps interfering
# this is done somewhere in /etc/X11/Xsession.options

# configure gpg to use agent (only for smartcard)
echo "use-agent" >> ~/.gnupg/gpg.conf

# enable ssh-agent drop in replacement support for gpg-agent
echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf

# on ubuntu >= 13.10 (uses upstart) you have to override the broken gpg-agent start script
mkdir ~/.init
wget http://www.programmierecke.net/howto/gpg-agent.conf -O ~/.init/gpg-agent.conf

# logout, login
# gpg-agent should now start
# check with:
ps aux | grep gpg-agent
# check gpg-agent ssh-features
set | grep SSH

register key with your agent

# please install package "monkeysphere" for this. it will be easier then.
sudo apt-get install monkeysphere

# secure gnupg homedir
chmod -R go-rwx ~/.gnupg

# create authentication subkey
#  only do this, if you haven't created a authentication subkey yet
monkeysphere g

# export gpg key to agent
monkeysphere s
# check if the key got added to the agent.
# this command should show your added key.
ssh-add -l

# search for authentication subkey-id
# one of the subkeys that are displayed now, has "usage: A" for authentication
gpg --edit-key mail@example.com
quit

# EXAMPLE output of gpg --edit-key mail@...
# this example has the authentication subkey-id: "695A85B3"
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/D3C38CEA  created: 2010-04-24  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/A2172965  created: 2010-04-24  expires: never       usage: E   
sub  2048R/695A85B3  created: 2010-04-24  expires: never       usage: A

# create authorized keys file
# replace "12345678" with your authentication subkey-id from the before
gpgkey2ssh 12345678 >> ~/authorized_keys

# move authorized_keys file to computer with openssh-server
scp ~/authorized_keys user@testhost:/home/user/.ssh/

# testing ssh
ssh -v user@testhost

# it should work now

with smartcard (openpgp)

Some Links

step by step

Don't install/use monkeysphere. it does not work with authentication keys on smartcards.
# install needed packages
# gpgsm package is needed, because we need "scdaemon" = smartcard-daemon
apt-get install gpgsm
# gpg-agent is needed because it is the only possibility to use a authentication subkey directly from the smartcard
apt-get install gnupg-agent

# deactivate gnome-keyring-daemon ssh-agent dropin-replacement, we want only gpg-agent
# VERY OLD versions of ubuntu (uses gconf settings for autostart)
gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh false
# newer ubuntu < 12.04 (uses xdg autostart)
echo "X-GNOME-Autostart-enabled=false" >> /etc/xdg/autostart/gnome-keyring-ssh.desktop
echo "X-GNOME-Autostart-enabled=false" >> /etc/xdg/autostart/gnome-keyring-gpg.desktop
# ubuntu >= 12.04 (uses upstart override)
echo manual >> ~/.config/upstart/gnome-keyring.override

# maybe you have to deactivate ssh-agent too, (not required on ubuntu 10.04)
# if you are using some older ubuntu version, or ssh-agent keeps interfering
# this is done somewhere in /etc/X11/Xsession.options

# configure gpg to use agent (only for smartcard)
echo "use-agent" >> ~/.gnupg/gpg.conf

# enable ssh-agent drop in replacement support for gpg-agent
echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf

# on ubuntu >= 13.10 (uses upstart) you have to override the broken gpg-agent start script
mkdir ~/.init
wget http://www.programmierecke.net/howto/gpg-agent.conf -O ~/.init/gpg-agent.conf

# logout, login
# gpg-agent should now start automatically
# check with:
ps aux | grep gpg-agent
# check gpg-agent ssh-features
set | grep SSH

# import card from smartcard
# only do this, if you haven't imported the key from your smartcard yet, or if you are on another computer
gpg --card-edit
fetch
quit

# calling gpg a second time is needed, that gpg fully recognizes the key on the card
# remember the last 8 characters of the line starting with "Authentication key:"
# this is your authentication subkey-id, it is needed later
gpg --card-status

# secure gnupg homedir
chmod -R go-rwx ~/.gnupg

# update authorized keys file
# replace "12345678" with your authentication subkey-id from the before
gpgkey2ssh 12345678 >> ~/authorized_keys

# this file has to be copied to the computer with the openssh-server
scp ~/authorized_keys user@testhost:/home/user/.ssh/

# testing ssh, it should ask for a PIN now, if you have one
ssh -v user@testhost

# it should work now

bugs i encountered

* DON'T try to use smartcard, if it is not connected. it will destroy scdaemon and you will either have to logout and login again or to do: "killall -9 scdaemon". this happens after reconnecting the smartcard:
# gpg --card-status
gpg: selecting openpgp failed: ec=6.108
gpg: OpenPGP card not available: general error