Enable SSH access using a GPG key for authentication : The agent has no identities

blueray · 12-27-2021, 01:08 AM

I have followed How to enable SSH access using a GPG key for authentication to enable SSH access using a GPG key for authentication. Everything is fine till I reached "ssh-add -L"

The tutorial says:

Quote:

First, you can run ssh-add -L to list your public keys and copy it
manually to the remote host. You can also use ssh-copy-id. From this
perspective, nothing has changed.

But `ssh-add -L` says `The agent has no identities.`

Code:

% ssh-add -L
The agent has no identities.

I have tried

Code:

% eval "$(ssh-agent -s)"
Agent pid 26756
% kill -9 26756
% gpg-connect-agent reloadagent /bye
OK
% systemctl --user restart gpg-agent
% systemctl restart ssh
% systemctl restart sshd
% ssh-add -L
The agent has no identities.

How to use a GPG key for SSH authentication says:

Quote:

Restart the GPG agent:

sudo killall gpg-agent
gpg-agent --daemon --write-env-file ~/.gpg-agent-info --enable-ssh-support
source ~/.gpg-agent-info

....

If you see `The agent has no identities`, try the steps to restart the
GPG agent from above.

But running the command has a different error.

Code:

% gpg-agent --daemon --write-env-file ~/.gpg-agent-info --enable-ssh-support
gpg-agent[29055]: WARNING: "--write-env-file" is an obsolete option - it has no effect
gpg-agent: a gpg-agent is already running - not starting a new one

What can I do?

Turbocapitalist · 12-27-2021, 01:19 AM

I would back up a step or two. Skimming through the article, it looks like ssh-agent should not be involved at all:

Quote:

"When you use SSH, a program called ssh-agent is used to manage the keys. To use a GPG key, you'll use a similar program, gpg-agent, that manages GPG keys. To get gpg-agent to handle requests from SSH, you need to enable support by adding the line enable-ssh-support to the ~/.gnupg/gpg-agent.conf."

and later it is written

Quote:

"export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent"

In other words, the SSH_AUTH_SOCK environment variable needs to point to the GPG agent not to the SSH agent as you show above. Since the gpg-agent utility is completely different, the mention of ssh-add -L seems to be based on the assumption that you already had keys in the regular SSH agent. If you did not, then the output will be empty.

However, you still need to get the public keys into the remote system but that is not related to either agent.

PS. Which shell are you using? The tutorial assumes Bash but if you are using Zsh or Fish or Oil then the location of the changes will be different.

blueray · 12-27-2021, 01:26 AM

I am using zsh.

I have put the following on .zshrc

Code:

export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

And the following returns S.gpg-agent.ssh

Code:

% gpgconf --list-dirs agent-ssh-socket
/run/user/1000/gnupg/S.gpg-agent.ssh

blueray · 12-27-2021, 02:17 AM

Now I am trying Using a GPG key for SSH authentication on macOS and Debian

Code:

% gpg -K --with-keygrip
/home/blueray/.gnupg/pubring.kbx
-------------------------------
sec   rsa2048 2021-12-27 [C] [expires: 2022-12-27]
      83D18930B9C2A3DB0A291B33594FBA8264C150CD
      Keygrip = 5E6B9EFCD40DAAC1E2BB2A94BB3F31EF6DF5C691
uid           [ultimate] Blueray (Private Key) <blueray@yandex.com>
ssb   rsa2048 2021-12-27 [S] [expires: 2022-12-27]
      Keygrip = AA935D52E01F537C11F2674BEC13FD81CBF1164F
ssb   rsa2048 2021-12-27 [E] [expires: 2022-12-27]
      Keygrip = 947B7646570DFE66220970E80843128912DB431B
ssb   rsa2048 2021-12-27 [A] [expires: 2022-12-27]
      Keygrip = 8AF395B5EA69442B0D8424F60FE58D03293AEF1E

Added 8AF395B5EA69442B0D8424F60FE58D03293AEF1E to ~/.gnupg/sshcontrol

Added the following to .zshrc

Code:

export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

Added enable-ssh-support to ~/.gnupg/gpg-agent.conf

Ran

Code:

$ gpg-connect-agent reloadagent /bye

Still

Code:

% ssh-add -l
The agent has no identities.

Turbocapitalist · 12-30-2021, 01:40 AM

This is a challenging task because of the possible interference by systemd (if present), and the difficulties that GNUpg2 has with using a pinentry program, combined with hidden or misleading error messages. However, there must be other error messages somewhere, it is a matter of finding where to look for them.

Which distro is this on, including version? The reason for asking is that the distros have different logging and while the error messages might be completely vague or downright misleading, knowing the distro will determine where to look for the error messages.

blueray · 01-03-2022, 10:16 PM

I am using Linux Mint 20.2 and gpg (GnuPG) 2.2.19. However, the problem is solved. I just had to run `ssh-keygen` before running `gpg --full-generate-key --expert` (even though I am using gpg-agent and not ssh-agent). The primary key only allows `Certify`. Subkey allows `Sign Encrypt Authenticate`. Manually writing to ~/.gnupg/sshcontrol and ~/.gnupg/gpg-agent.conf did not work. I had to `enable-ssh-support >> ~/.gnupg/gpg-agent.conf` and `echo 1D9DB03A60DDD3274E34DDDE511CEFF294E5AF8E >> ~/.gnupg/sshcontrol`. Not sure why this weird behavior. But this is what I needed to do to get it working.