--- tags: - GnuPG - SSHcategories: - Linux date:created: 2025-04-05updated: 2024-06-05---

SSH Authentication with GPG Keys on Linux

Here are the steps on how to set up SSH authentication using GPG on Linux:

Core Concept

• GPG (GNU Privacy Guard): A cryptographic tool commonly used for signing and encrypting data. We can leverage GPG key pairs for authentication. SSH (Secure Shell): An encrypted network protocol used to securely execute commands and transfer files over unsecured networks. gpg-agent: A daemon that manages your GPG private keys to avoid having to enter a password every time you use them. ssh-agent: A daemon that manages your SSH private keys and also avoids password re-entering. libpam-gnome-keyring(optional but recommended): A PAM module that automatically startsgpg-agentandssh-agentwhen you log in. gnupg-agent:* Provides the functionality required for SSH authentication using GPG keys.

1. Install the necessary packages:Depending on your Linux distribution, install the following packages: * Debian/Ubuntu: ```bash

    sudo apt update
    sudo apt install gnupg2 gpg-agent openssh-server openssh-client libpam-gnome-keyring
    ```
* **Fedora/CentOS/RHEL:**        ```bash
    sudo dnf install gnupg2 gpg-agent openssh-server openssh-clients pam_gnome_keyring
    ```
* **Arch Linux:**        ```bash
    sudo pacman -S gnupg openssh libgnome-keyring
    ```

2. Generate or import a GPG key pair:If you don't have a GPG key pair yet, you can generate a new one using the following command: ```bash

gpg --full-generate-key
```

Follow the prompts to select the key type, key length, expiration date, and set your real name, email address, and comment. Please remember your password.If you already have a GPG key pair, you can skip this step.

3. Confirm GPG key usage and obtain fingerprint:Make sure you have a GPG key or subkey with purpose set toAuthenticate. Confirm and obtain the fingerprint (40-digit HEX) of the key or subkey with the following command: ```bash

gpg --with-keygrip -K
```

4. Add the GPG key fingerprint to thesshcontrolfile:Put the fingerprint obtained in the previous step into the~/.gnupg/sshcontrolfile. Place one fingerprint per line. ```

# 示例 (将 YOUR_FINGERPRINT 替换为实际的指纹)
YOUR_FINGERPRINT
```

5. Configuregpg-agent:Edit or create the~/.gnupg/gpg-agent.conffile and add the following lines: ```

enable-ssh-support
default-cache-ttl 3600
max-cache-ttl 7200
```
* `enable-ssh-support`: Enable SSH support.    * `default-cache-ttl`: Set the default password cache time in seconds.    * `max-cache-ttl`: Set the maximum password cache time.

6. Configure PAM (optional but recommended):If you havelibpam-gnome-keyring(or a similar package) installed, you can configure PAM to automatically startgpg-agentandssh-agentat login.Edit the/etc/pam.d/loginand/etc/pam.d/sshdfiles and add the following lines if they do not exist:In theauthsection add: ```

auth optional pam_gnome_keyring.so skel
```

In thesessionsection add: session optional pam_gnome_keyring.so auto_start Note: The exact files and lines may vary depending on your Linux distribution and PAM configuration. You may need to make similar changes in other PAM configuration files such assudoor the graphical login manager.

7. Export the SSH public key:Use the following command to export the SSH public key from your GPG private key. ReplaceYOUR_GPG_KEY_IDwith your GPG key ID. You can find your key ID using thegpg --list-secret-keys --keyid-format longcommand. ```bash

gpg --export-ssh-key YOUR_GPG_KEY_ID > ~/.ssh/id_ed25519.pub
```

Notice: * The exported public key is saved as~/.ssh/id_ed25519.pubby default. You can change the file name as needed. * Make sure your GPG private key is password protected.

8. Copy the SSH public key to the remote server:Copy the contents of your exported SSH public key (~/.ssh/id_ed25519.pub) into the~/.ssh/authorized_keysfile on the remote server you want to SSH authenticate.You can use thessh-copy-idcommand to simplify this process (if your local machine is already configured for password- or key-based SSH access): ```bash

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote_server
```

Alternatively, you can manually append the contents of~/.ssh/id_ed25519.pubto the~/.ssh/authorized_keysfile on the remote server: bash cat ~/.ssh/id_ed25519.pub | ssh user@remote_server "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

9. Configure the SSH client:Edit or create the~/.ssh/configfile and add the following to configure your SSH client to use GPG for authentication: ```

Host remote_server_alias  # 您可以为远程服务器设置一个别名
    Hostname remote_server_ip_or_hostname
    User your_username
    IdentityFile ~/.ssh/id_ed25519
    PubkeyAcceptedKeyTypes +ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
```
* `Host`: The alias you set for the remote server.    * `Hostname`: The IP address or hostname of the remote server.    * `User`: Your username on the remote server.    * `IdentityFile`: The path to the SSH public key file you exported (without the`.pub`extension).    * `PubkeyAcceptedKeyTypes`: Specifies the accepted public key types. Add`+ssh-ed25519-cert-v01@openssh.com`to enable certificate-based authentication.

10. Startgpg-agentandssh-agent:If you do not configure PAM, you need to startgpg-agentandssh-agentmanually after logging in. Add the following to your shell configuration file (e.g.~/.bashrc,~/.zshrc): ```bash

if [ -z "$SSH_AUTH_SOCK" ]; then
  eval "$(ssh-agent -s)"
fi

if ! gpg-connect-agent /bye > /dev/null 2>&1; then
  eval "$(gpg-agent --daemon --enable-ssh-support)"
fi

export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
```

Then, reload your shell profile: bash source ~/.bashrc # 或 source ~/.zshrc

11. Add the GPG private key togpg-agent:You may need to add your GPG private key togpg-agent. This will prompt you for your password: ```bash

gpg --import-ownertrust
gpg --card-status  # 如果您使用智能卡
```

Alternatively, you can enter your password the first time you attempt an SSH connection.

12. Test the SSH connection:You should now be able to SSH to the remote server using the configured alias without entering a password (unless your GPG private key is not already unlocked): ```bash

ssh remote_server_alias
```

If this is your first time using this GPG key for an SSH connection, you may be asked to enter the password for the GPG key. Afterwards, the password will be cached ingpg-agentuntil the cache expires.

IMPORTANT NOTE

• Security: Make sure your GPG private key is protected by a strong password. Backup: Be sure to back up your GPG private key. gpg-agentandssh-agent: Make sure these two agents are running. You can check this using theps aux | grep gpg-agentandps aux | grep ssh-agentcommands. Permissions: Make sure the permissions for the~/.sshdirectory and~/.ssh/authorized_keysfiles are set correctly (usually700for~/.sshand600for~/.ssh/authorized_keys). Server Configuration: Ensure that public key authentication (PubkeyAuthentication yes) is enabled in thesshd_configfile on the remote server. With the above steps, you should be able to successfully configure your Linux system to use GPG keys for SSH authentication, improving security and streamlining your workflow.

Ref[1]. SSH-Configuration

[2]. OpenPGP-a preliminary study