20

I'm using openssh7.5p1 and gnupg 2.1.21 on arch linux (these are the default versions that come with arch). I would like to use gpg-agent as an ssh agent. I put the following in my ~/.gnupg/gpg-agent.conf:

pinentry-program /usr/bin/pinentry-qt
enable-ssh-support

Arch automatically starts a gpg-agent from systemd, so I set

export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"

When I run ssh-add -l, it reports no identities and ps reports a gpg-agent --supervised process as I would expect.

Unfortunately, when I run ssh-add, no matter what the key type, it doesn't work. Here is an example of how I tried dsa:

$ ssh-keygen -f testkey -t dsa -N ''
Generating public/private dsa key pair.
Your identification has been saved in testkey.
Your public key has been saved in testkey.pub.
$ ssh-add testkey
Could not add identity "testkey": agent refused operation

All other gpg functions work properly (encrypting/decrypting/signing). Also, the keys I generate work fine if I use them directly with ssh, and they work properly if I run the ssh-agent that came with openssh.

The documentation says that ssh-add should add keys to ~/.gnupg/sshcontrol, but obviously nothing is happening.

My question: What's the easiest way to load a key generated by openssh's ssh-keygen into gpg-agent, and can someone please cut and paste a terminal session showing how this works?

user3188445
  • 5,107
  • 3
  • 21
  • 38
  • The accepted answer helped me, thanks for raising this question. This happens every now and then to me, is there any permanent solution? – gxx Jun 06 '19 at 16:53

2 Answers2

48

The answer was apparently to run:

echo UPDATESTARTUPTTY | gpg-connect-agent

I have no idea why the pinentry program worked fine for other uses such as decrypting files, but didn't work for ssh-add.

While this now works, it also makes a copy of the ssh private key that doesn't show up under gpg -Kv, and furthermore doesn't seem to allow you to change the passphrase on your private key (since you can't edit it with --edit-key). Basically I'm pretty unhappy with the way gpg-agent provides low visibility into where your secrets are being copied. If you hit this question because you hoped gpg-agent might be a better alternative to ssh-agent, then I'd encourage you to stick to ssh-agent instead of trying out my answer. The main reason to prefer gpg-agent is if you need to for smart-card use.

user3188445
  • 5,107
  • 3
  • 21
  • 38
  • 1
    Where did you find this answer? It works great! – CMCDragonkai Feb 05 '19 at 04:17
  • Thanks for this, worked for me. Do you run this regularly? At each boot / login? Any idea regarding a "proper" fix? – gxx Jun 04 '19 at 10:21
  • 1
    See [gpg agent-options manual](https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html) – Ray Oei Jan 27 '20 at 22:58
  • It is possible to find the ssh-add:ed keys out and change their password, only it's a bit of a hassle: https://blogs.gentoo.org/marecki/2017/03/17/changing-the-passphrase-for-ssh-keys-in-gpg-agent/ – polettix Feb 24 '22 at 23:04
3

In my case, the problem was the pinentry program used. I was using pinentry-emacs. It seems it doesn't handle the dual text field entry window prompt that ssh-add triggers when used with gpg-agent.

Removing pinentry-emacs and installing the GTK pinentry solved the problem here.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
user30747
  • 260
  • 2
  • 6