Arch Linux - Using GPG for SSH Authentication

1 min read

If you generate an authentication subkey for your GPG key, you can use it to authenticate with SSH just like a regular SSH keypair. This is especially useful if you already have a smartcard setup with your GPG keys. You can just use the same smartcard for your SSH authentication!


If you don't have SSH installed already:

pacman -S openssh

Setup GPG SSH Agent

Enable ssh support in your gpg agent conf:

echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf

You should also re-assign the SSH authentication socket to the GPG agent. You can do this in your session startup profile (.xprofile, for example):

# These are copied directly from gpg-agent manpages
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
  export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"

Configuring your GPG authentication key for use with SSH

Get the keygrip for your authorization subkey:

gpg2 --with-keygrip -k <your-key-id>

Add the keygrip to ~/.gnupg/sshcontrol. Your key should now show up when you run ssh-add -l.

Now you can get the public key for SSH use with ssh-add -L:

ssh-add -L >

Use this key just as if it was generated with ssh-keygen. When you require SSH auth, the GPG agent will take over and prompt you for authorization.