SSH – How to Force the Use of a GPG-Key as an SSH-Key for a Given Server

gpgpgpsshssh-agent

I configured ssh to use GPG as my ssh-agent and if I remove the ~/.ssh folder, I can ssh into my server fine using my gpg key. However, my ~/.ssh folder has over a dozen different ssh keys in it, and if I try to ssh when it is there, I get a permission denied error because my ssh client is offering every single private key in the directory before trying the keys in the gpg ssh-agent.

With regular ssh-keys, I just use the IdentityFile config in my ~/.ssh/config file, but I can't do that because my identity is a gpg cardno. I am confused by why ssh is preferring the key files over the agent. Is there any way to force ssh to use the agent instead of the files? Or even better, is there any way to specify in the ~/.ssh/config file that the gpg key must be used for a given server?

I have confirmed that ssh-agent is not running and that gpg-agent is running and ssh-add -L shows my gpg key to be present, along with a single other ssh-style private key.

Best Answer

I can't do that because my identity is a gpg cardno.

You can use IdentityFile and IdentitiesOnly, even with gnupg-provided identities.

If you have the card present, export the public key from your agent:

$ ssh-add -L | grep "cardno:.*789$" | tee ~/.ssh/smartcard.pub
ssh-rsa AAAA[..]== cardno:023456000789

If you do not, but remember which key it is associated with, export from gnupg:

$ gpg2 --export-ssh-key ronnie.smart@card.example | tee ~/.ssh/smartcard.pub
ssh-rsa AAAA[..]== openpgp:0xDEADBEEF

Then tell ssh to use that export to identify the correct key:

Host *.host.example
    IdentityFile ~/.ssh/smartcard.pub
    IdentitiesOnly yes
    PasswordAuthentication no
    PubkeyAuthentication yes

Which gives you exactly one login attempt as expected when the correct smart card is detected by gnupg:

$ ssh -v smart.host.example
[..]
debug1: Next authentication method: publickey
debug1: Offering public key: /home/home/.ssh/smartcard.pub RSA SHA256:a1337[..] explicit

Unfortunately, you get rather unhelpful output whenever you forget to insert the card, as the gnupg ssh agent will not ask to insert the correct card like the gpg agent does. This is annoying, but will not impact your actual use.

Related Solutions

Ssh – How to stop ssh offering a wrong key

This is expected behaviour according to the manpage of ssh_config:

 IdentityFile
         Specifies a file from which the user's DSA, ECDSA or DSA authentica‐
         tion identity is read.  The default is ~/.ssh/identity for protocol
         version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for
         protocol version 2.  Additionally, any identities represented by the
         authentication agent will be used for authentication.  

         [...]

         It is possible to have multiple identity files specified in configu‐
         ration files; all these identities will be tried in sequence.  Mul‐
         tiple IdentityFile directives will add to the list of identities
         tried (this behaviour differs from that of other configuration
         directives).

Basically, specifying IdentityFiles just adds keys to a current list the SSH agent already presented to the client.

Try overriding this behaviour with this at the bottom of your .ssh/config file:

Host *
IdentitiesOnly yes

Ssh – Fingerprint of PEM ssh key

If you want to retrieve the fingerprint of your lost public key file, you can recover it from the private key file:

$ ssh-keygen -yf path/to/private_key_file > path/to/store/public_key_file

Then you are able to ascertain the public fingerprint:

$ ssh-keygen -lf path/to/store/public_key_file
2048 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX user@host (RSA)

On some newer systems, this prints the SHA256 fingerprint of the key. You can print the MD5 fingerprint of the key (the colon form) using option -E:

$ ssh-keygen -E md5 -lf path/to/store/public_key_file
2048 MD5:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@host (RSA)

Or as one command line:

$ ssh-keygen -yf /etc/ssh/ssh_host_ecdsa_key | ssh-keygen -E md5 -lf -
2048 MD5:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@host (RSA)

Best Answer

Related Solutions

Ssh – How to stop ssh offering a wrong key

Ssh – Fingerprint of PEM ssh key

Related Topic