SSH is quite important part of my daily life - most of the time I spend in console on the remote servers. The standard ssh-agent is good and it has served me the best it could. But, since everyone (and I am not an exception) wants always something better I have decided to have a look at alternative - gpg-agent

When you install the gpg-agent package, it installs a script /etc/X11/Xsession.d/90gpg-agent, so most probably you have gpg-agent running without even knowing it, but it does not have ssh support enabled. We have to explicitly enable it by editing the config or by passing --enable-ssh-support on the command line (when one use the customized version of /etc/X11/Xsession.d/90gpg-agent or maybe something even more advanced in your .bashrc/.bash_profile). We will go the much tidier way and will use the configuration file. After reading some man pages, namely gpg-agent(1) and ssh-add(1) I have come with next settings for SSH:

$ cat << EOF > ~/.gnupg/gpg-agent.conf
enable-ssh-support
default-cache-ttl-ssh 28800
max-cache-ttl-ssh 43200
EOF

enable-ssh-support - enables the OpenSSH Agent protocol

default-cache-ttl-ssh - sets the time a cache entry used for SSH keys is valid, default is 1800 seconds

max-cache-ttl-ssh - sets the maximum time a cache entry used for SSH keys is valid, default 7200 seconds

All this cache timeouts are perfectly suitable for my own personal configuration and I suggest you to define your own set of preferable settings.

Now we have gpg-agent prepared to handle our SSH keys. One thing left is to disable other SSH agents. As for me, the easiest way is by editing /etc/X11/Xsession.options. We can comment out use-ssh-agent option. This will work out for us. Now after re-login into your desktop session you should be able to use the new functionality.

We can check where points SSH_AUTH_SOCK:

$ echo $SSH_AUTH_SOCK
/tmp/gpg-Dr11cY/S.gpg-agent.ssh

and the process behind SSH_AGENT_PID

ps uww -p $SSH_AGENT_PID
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
user    1522  0.0  0.0  17500  3020 ?        Ss   18:04   0:01 /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/user/.gnupg/gpg-agent-info-home /usr/bin/ck-launch-session /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch /usr/bin/startkde

exactly what we have expected.

Now we will add our key with ssh-add to our new initialized agent:

$ ssh-add
Identity added: /home/user/.ssh/id_rsa (rsa w/o comment)

$ ssh-add -l
4096 52:c7:5e:c4:96:01:32:dd:54:f1:ba:40:95:8e:15:9f rsa w/o comment (RSA)

ssh-add will ask for the password of the provided key file (if one has been set up) and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory.

This was a short How-To which some of you might find helpful. Of course, here you should decide by yourself what you trust more the ssh-agent or gpg-agent. I personally prefer second one, not for its safety or reliability, but because I find it more configurable and extendable. And since I use GnuPG quite a lot I like to keep my configuration (keys handling, authentication and etc.) together.