Maintaining SSH login credentials are an important part of every administrator’s security protocol. Here we show you how you can reduce the keys that you maintain by linking your SSH login to your GPG key.
Content
- Why Use GPG Keys for Logging In to SSH
- Preparing Your GPG Key for SSH
- Enabling SSH Support in GPG
- Exporting and Testing Your GPG Key
Get started: learn how you can first enable passwordless logins with SSH.
Why Use GPG Keys for Logging In to SSH
One of the advantages of using GPG keys for an SSH login is that it’s easy to move between hosts. Every operating system today has either a GUI or CLI tool that interacts with GPG. For instance, GNU Kleopatra is available for Linux and Windows, and the GnuPG tool is available in both Linux and macOS.
Another advantage of GPG keys is that, unlike SSH keys, you can use them for a variety of security-related tasks. On top of SSH, you can generate additional subkeys for signing emails and encrypting files. As such, GPG keys allow you to consolidate a large part of your digital life into a handful of easy-to-maintain secure bits.
Lastly, using GPG over SSH won’t change any existing infrastructure on your remote machines. This is because GPG converts its authentication key into an “SSH-compatible” format. As a result, you can export your “SSH-compatible” GPG public key to an SSH server and immediately use it to login.
On a side note: learn how you can secure your Github account using SSH keys.
Preparing Your GPG Key for SSH
The first step in using GPG keys on SSH is to create a new subkey. Doing this will allow you to share your SSH authentication details without compromising your primary GPG identity.
Start by opening a GPG prompt for your main key:
gpg --expert --edit-key YOUR-KEY@EMAIL.ADDRESS
Note: you can find the email address for your main key by listing the contents of your keyring: gpg --list-keys.
Type “addkey” on the GPG prompt, select “8,” then press Enter.
Set the capability of your subkey to “=A” then press Enter.
Type “4096” on the keysize prompt, then press Enter.
Set a reasonable length of time for your subkey’s validity. In my case, I will type “1y” to make my new subkey valid for only one year.
Create your new GPG subkey by typing “y,” then pressing Enter on the wizard’s confirm prompt.
Type “quit,” then press Enter to exit the GPG prompt.
Confirm that your new subkey is working properly by pulling the details of your main key:
gpg --list-keys YOUR-KEY@EMAIL.ADDRESS
Enabling SSH Support in GPG
With your subkey up and running, you can now configure your SSH daemon to accept incoming gpg-agent requests. To do that, append “enable-ssh-support” to your current user’s “gpg-agent.conf” file:
echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
Open your “.bashrc” file using your favorite text editor:
nano ~/.bashrc
Paste the following lines of code at the end of your .bashrc file:
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)<br>gpgconf --launch gpg-agent
Save your bashrc file, then print your subkey’s keygrip:
gpg --list-keys --with-keygrip
Copy your subkey’s keygrip, then create an “sshcontrol” file under the .gnupg directory:
nano ~/.gnupg/sshcontrol
Paste your identity’s keygrip inside the new file, then save it.
Apply your new SSH and GPG config by reloading your bashrc file on the current terminal session:
source ~/.bashrc
Test if your SSH daemon is now working properly by listing its public SSH key:
ssh-add -l
Exporting and Testing Your GPG Key
At this point, you now have an SSH daemon that’s properly linked to your GPG agent. To use it, generate the SSH export key using the following command:
gpg --ssh-export-key YOUR-KEY@EMAIL.ADDRESS > ~/authorized_keys
Set the export key’s permission bits to be only user-readable and writable:
chmod 600 ~/authorized_keys
Send your new authorized_keys file to your remote server using scp:
scp ~/authorized_keys YOUR-REMOTE.SERVER.DOMAIN:~/.ssh/authorized_keys
Login to your remote server, then restart the SSH daemon to apply your new key:
sudo systemctl restart ssh.service
Press Ctrl + D, then login back to your remote SSH server. This should bring in a new prompt asking for your main GPG key’s password.
Linking your GPG key to your SSH daemon and exporting it to a remote server are just some of the things that you can do with SSH. Explore what you can do with this wonderful piece of software by using SSH with UNIX pipes in Linux.
Image credit: rivage via Unsplash. All alterations and screenshots by Ramces Red.
Ramces Red –
Staff Writer
Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.
Subscribe to our newsletter!
Our latest tutorials delivered straight to your inbox
Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe