Feature: Add support for SSH Keys

[mrchainman]

It would be cool to integrate ssh keys, similiarly to how keychain handles it. I am willing to help implementing it.

[cruegge]

gpg-agent actually supports importing ssh keys and can act as an ssh agent. The ssh keys can be unlocked the same way as proper gpg keys, it's just a bit less obvious how to find the keygrips. It would make sense to expand the README.

On the other hand, I'm not convinced that supporting ssh-agent itself would be a good idea. It requires calling a different program (ssh-add) in a different way (one call per key instead of a single gpg-connect-agent process to unlock all gpg keys) and needs extensions to the config file (ssh keys are specified as file paths, not keygrips).

Also, ssh-add reads the passphrase from a tty or via SSH_ASKPASS, which might need some fiddling to provide the key non-interactively.

Finally, autostarting gpg-agent is essentially done automatically by gpg-connect-agent, but for ssh-agent it is more involved. In particular, the need to export SSH_AUTH_SOCK makes it essentially impossible to start the agent anywhere except during session init since you can't change the env var for running processes. If I understand correctly, this is the main part of what keychain does (not sure, I never used it).

So the only part of the existing code that could be reused as-is is probably storing and clearing the auth token, and at that point might be better to just implement a new module altogether.

[mrchainman]

Interesting, thanks for.the extensive comment. I moght look at how to use gpg-agent as a ssh agent and report any progress.

[cruegge]

Here's the quick version: the ssh support is documented in gpg-agent(1). Depending on how you start the agent, you may need to export SSH_AUTH_SOCK manually. The path is listed in the output of gpgconf --list-dirs (called agent-ssh-socket). When importing ssh keys, the keygrips will be written to ~/.gnupg/sshcontrol. Another option is to run gpg-connect-agent 'keyinfo --ssh-list' /bye. I'll update the README with a longer version of this when I get around to it.

[mrchainman]

Great, thanks !

[x70b1]

I was at the same point. I was looking for a simple pam unlock solution for the ssh-agent. I know the gpg-agent solution for ssh-keys.

But I wanted to still use the ssh typical environment like agent, config, keyfiles in ~/.ssh ... So I created pam_exec-ssh.

[guidocella]

I was able to unlock my SSH key on login with gpg-agent by: adding export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) to ~/.zprofile or ~/.bash_profile (just export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ss also works if you haven't changed GNUPGHOME), adding my key with ssh-add, and adding its keygrip to the list of keys to be unlocked: tail -n 1 ${GNUPGHOME:-~/.gnupg}/sshcontrol | cut -d ' ' -f 1 >> ~/.pam-gnupg