Page MenuHome GnuPG
Create Task
Maniphest T3347

gpg-agent at startup in order that my Yubikey can be used for ssh
Closed, InvalidPublic
Actions

Description

I'm wondering what would be the best way to start gpg-agent at startup in order for my Yubikey to work with ssh. I tried adding gpg-agent -q /bye to my .bashrc with a check if the process was already running, if not then it ran that command. It starts gpg-agent, and ssh-add -l does list the GPG keys from my Yubikey, but my public key is not being read by gpg-agent when I ssh to an host. I then have to kill and restart and sometimes re-export the $SSH_AUTH_SOCK variable.

Now I'm trying it with a user defined systemd unit file, which seems to work as long as I have this export in my .bash_profile: export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh. Below is the systemd unit file, I enabled it with systemctl --user enable gpg-agent.service

[Unit]
Description=GnuPG Agent
IgnoreOnIsolate=true

[Service]
Type=forking
Environment=SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh
ExecStart=/usr/bin/gpg-agent --homedir %h/.gnupg --enable-ssh-support --daemon
ExecStartPost=/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=${SSH_AUTH_SOCK}
ExecStop=/usr/bin/gpg-agent /bye

[Install]
WantedBy=default.target

This is in my gpg-agent.conf:

enable-ssh-support
default-cache-ttl 120
max-cache-ttl 300

I can't really find a documented way to do this, it all seem to be done with own inventions. So this is not really a bug, unless of course this is indeed nowhere defined. Then some official documentation would be nice. The best stuff I found to set gpg-agent up with a Yubikey are these:

Details

Version
gnupg2-2.1.21-2.fc26.x86_64

Event Timeline

AquaL1te created this task.Aug 14 2017, 10:54 AM
justus assigned this task to dkg.Aug 14 2017, 11:19 AM
justus triaged this task as Wishlist priority.
justus added projects: gnupg, Documentation.
justus added a subscriber: justus.

Hi. You can start gpg-agent using gpgconf --launch gpg-agent. I'll delegate the systemd questions to Daniel.

dkg added a comment.Aug 14 2017, 7:36 PM

Please use the systemd unit files as shipped upstream. This allows the agent to be launched automatically whenever someone tries to use one of its sockets, but doesn't pre-emptively launch the agent until needed.

You shouldn't need either IgnoreOnIsolate or to explicitly set SSH_AUTH_SOCK for the systemd user unit.

I think you have two questions:

  • how do i make sure the gpg-agent is running?
  • how do i ensure that my non-gpg-aware tools outside the agent get the appropriate SSH_AUTH_SOCK environment variable set?

I think i've answered only the first of those questions above.

The second question hasn't been answered here, because i don't know what sort of OS you're using or how you need this to be integrated (maybe you're using fedora 26 because of the "version" details?). If so, i'd check with fedora to see how they expect user environment variables to be set.

AquaL1te added a comment.Aug 15 2017, 9:19 AM

Perfect! This works exactly as I wanted. I indeed use Fedora 26, adding this line below to my .bash_profile works perfectly with the Yubikey to find the gpg keys on it and use it for ssh.
export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh

AquaL1te closed this task as Invalid.Aug 15 2017, 9:19 AM