On Wed, 22 Nov 2023 19:39, Felix E. Klee said: > However, I could not log in. SSH reports: > > Permission denied (publickey).
You need to make sure that the gpg-agent is running and the SSH_AUTH_SOCK envvar is set correctly. Here is the snippet from by ~/.bashrc --8<---------------cut here---------------start------------->8--- # Setup information required by GnuPG and ssh. We use the # standard socket in GnuPG's homedir, thus there is no need for an # environment variable. We reset any left over envvar. # SSH_AGENT_PID should not be set either because it is only used # to kill ssh-agent (option -k) but we don't want this to kill # gpg-agent. Because ssh does not know about GnuPG's homedir we # need to set its envvar to the standard gpg-agent. GPG_TTY needs # to be set to the current TTY. The extra test is used to avoid # setting SSH_AUTH_SOCK if gpg-agent has been started with a # shell on the command line (often used for testing). unset GPG_AGENT_INFO unset SSH_AGENT_PID if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" fi export GPG_TTY=$(tty) --8<---------------cut here---------------end--------------->8--- In case you are switching to a different X server etc, you may need to run gpg-connect-agent updatestartuptty /bye once. This will also make sure that the agent is launched. Although gpg-agent by default creates the socket for the ssh-agent protocol, some distros have a pecularity that they look into ~/.gnupg/gpg-agent.conf and check whether there is a "enable-ssh-support" option set. If not they don't set the envvar (as above) or do their necessary systemd stuff to create the socket. > I then tried exporting the key using `ssh-add`: > > ssh-add -L >~/.ssh/id_rsa.pub ssh-add should have connected to gpg-agent and exported the ssh public keys it knows. You don't need to put this into id_rsa.pub. I use > Now it gets a bit weird: Apparently the key exported by `ssh-add` is not > tied to my authentication key! I noticed this because I replaced the > authentication key. They key exported by `ssh-add` did not change. I can What is in your ~/.gnupg/sshcontrol file? It should list the keygrips of the keys to be used for ssh. gpg -k --with-keygrip yubi...@f76.eu Instead of putting this into sshcontrol you may also put them into the private-keys-v1.d/<KEYGRIP>.key file with a line: Use-for-ssh: yes FWIW, you may also use Label: My pink token to have a nicer prompt. > Should I better use the authentication key exported by GPG for SSH? But > how to make that work? gpg --export-ssh-key Adds a comment with the keyid - is that one correct? Does it match what you see with ssh-add -L (or ssh-add -l)? Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users