SSH is quite important part of my daily life - most of the time I spend in console on the remote servers. The standard
ssh-agent is good and it has served me the best it could. But, since everyone (and I am not an exception) wants always something better I have decided to have a look at alternative -
When you install the gpg-agent package, it installs a script
/etc/X11/Xsession.d/90gpg-agent, so most probably you have gpg-agent running without even knowing it, but it does not have ssh support enabled. We have to explicitly enable it by editing the config or by passing
--enable-ssh-support on the command line (when one use the customized version of
/etc/X11/Xsession.d/90gpg-agent or maybe something even more advanced in your
.bash_profile). We will go the much tidier way and will use the configuration file. After reading some man pages, namely gpg-agent(1) and ssh-add(1) I have come with next settings for SSH:
$ cat << EOF > ~/.gnupg/gpg-agent.conf enable-ssh-support default-cache-ttl-ssh 28800 max-cache-ttl-ssh 43200 EOF
enable-ssh-support - enables the OpenSSH Agent protocol
default-cache-ttl-ssh - sets the time a cache entry used for SSH keys is valid, default is 1800 seconds
max-cache-ttl-ssh - sets the maximum time a cache entry used for SSH keys is valid, default 7200 seconds
All this cache timeouts are perfectly suitable for my own personal configuration and I suggest you to define your own set of preferable settings.
Now we have gpg-agent prepared to handle our SSH keys. One thing left is to disable other SSH agents. As for me, the easiest way is by editing
/etc/X11/Xsession.options. We can comment out
use-ssh-agent option. This will work out for us. Now after re-login into your desktop session you should be able to use the new functionality.
We can check where points
$ echo $SSH_AUTH_SOCK /tmp/gpg-Dr11cY/S.gpg-agent.ssh
and the process behind
ps uww -p $SSH_AGENT_PID USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND user 1522 0.0 0.0 17500 3020 ? Ss 18:04 0:01 /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/user/.gnupg/gpg-agent-info-home /usr/bin/ck-launch-session /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch /usr/bin/startkde
exactly what we have expected.
Now we will add our key with
ssh-add to our new initialized agent:
$ ssh-add Identity added: /home/user/.ssh/id_rsa (rsa w/o comment) $ ssh-add -l 4096 52:c7:5e:c4:96:01:32:dd:54:f1:ba:40:95:8e:15:9f rsa w/o comment (RSA)
ssh-add will ask for the password of the provided key file (if one has been set up) and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory.
This was a short How-To which some of you might find helpful. Of course, here you should decide by yourself what you trust more the
gpg-agent. I personally prefer second one, not for its safety or reliability, but because I find it more configurable and extendable. And since I use GnuPG quite a lot I like to keep my configuration (keys handling, authentication and etc.) together.