bradfa · March 26, 2013 12:37
diff --git a/gpg-ssh b/gpg-ssh
 Copied from http://www.programmierecke.net/howto/gpg-ssh.html
 Saved here for posterity.
 Tested with Yubikey NEO in 0x82 mode.

 with smartcard (openpgp)
 Some Links

    Using Smartcard with Windows (Putty): Pageant for Putty with smartcard support

 step by step
 Don't install/use monkeysphere. it does not work with authentication keys on smartcards.

 # install needed packages
 # gpgsm package is needed, because we need "scdaemon" = smartcard-daemon
 apt-get install gpgsm
 # gpg-agent is needed because it is the only possibility to use a authentication subkey directly from the smartcard
 apt-get install gnupg-agent

 # deactivate gnome-keyring-daemon ssh-agent dropin-replacement, we want only gpg-agent
 gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh false
 # maybe you have to deactivate ssh-agent too, (not required on ubuntu 10.04)
 # if you are using some older ubuntu version, or ssh-agent keeps interfering
 # this is done somewhere in /etc/X11/Xsession.options

 # configure gpg to use agent (only for smartcard)
 echo "use-agent" >> ~/.gnupg/gpg.conf

 # enable ssh-agent drop in replacement support for gpg-agent
 echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf

 # logout, login
 # gpg-agent should now start automatically
 # check with:
 ps aux | grep gpg-agent
 # check gpg-agent ssh-features
 set | grep SSH

 # import card from smartcard
 # only do this, if you haven't imported the key from your smartcard yet, or if you are on another computer
 gpg --card-edit
 fetch
 quit

 # calling gpg a second time is needed, that gpg fully recognizes the key on the card
 # remember the last 8 characters of the line starting with "Authentication key:"
 # this is your authentication subkey-id, it is needed later
 gpg --card-status

 # secure gnupg homedir
 chmod -R go-rwx ~/.gnupg

 # update authorized keys file
 # replace "12345678" with your authentication subkey-id from the before
 gpgkey2ssh 12345678 >> ~/authorized_keys

 # this file has to be copied to the computer with the openssh-server
 scp ~/authorized_keys user@testhost:/home/user/.ssh/

 # testing ssh, it should ask for a PIN now, if you have one
 ssh -v user@testhost

 # it should work now

 bugs i encountered
 * DON'T try to use smartcard, if it is not connected. it will destroy scdaemon and you will either have to logout and login again or to do: "killall -9 scdaemon". this happens after reconnecting the smartcard:

 # gpg --card-status
 gpg: selecting openpgp failed: ec=6.108
 gpg: OpenPGP card not available: general error
	Copied from http://www.programmierecke.net/howto/gpg-ssh.html
	Saved here for posterity.
	Tested with Yubikey NEO in 0x82 mode.

	with smartcard (openpgp)
	Some Links

	Using Smartcard with Windows (Putty): Pageant for Putty with smartcard support

	step by step
	Don't install/use monkeysphere. it does not work with authentication keys on smartcards.

	# install needed packages
	# gpgsm package is needed, because we need "scdaemon" = smartcard-daemon
	apt-get install gpgsm
	# gpg-agent is needed because it is the only possibility to use a authentication subkey directly from the smartcard
	apt-get install gnupg-agent

	# deactivate gnome-keyring-daemon ssh-agent dropin-replacement, we want only gpg-agent
	gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh false
	# maybe you have to deactivate ssh-agent too, (not required on ubuntu 10.04)
	# if you are using some older ubuntu version, or ssh-agent keeps interfering
	# this is done somewhere in /etc/X11/Xsession.options

	# configure gpg to use agent (only for smartcard)
	echo "use-agent" >> ~/.gnupg/gpg.conf

	# enable ssh-agent drop in replacement support for gpg-agent
	echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf

	# logout, login
	# gpg-agent should now start automatically
	# check with:
	ps aux \| grep gpg-agent
	# check gpg-agent ssh-features
	set \| grep SSH

	# import card from smartcard
	# only do this, if you haven't imported the key from your smartcard yet, or if you are on another computer
	gpg --card-edit
	fetch
	quit

	# calling gpg a second time is needed, that gpg fully recognizes the key on the card
	# remember the last 8 characters of the line starting with "Authentication key:"
	# this is your authentication subkey-id, it is needed later
	gpg --card-status

	# secure gnupg homedir
	chmod -R go-rwx ~/.gnupg

	# update authorized keys file
	# replace "12345678" with your authentication subkey-id from the before
	gpgkey2ssh 12345678 >> ~/authorized_keys

	# this file has to be copied to the computer with the openssh-server
	scp ~/authorized_keys user@testhost:/home/user/.ssh/

	# testing ssh, it should ask for a PIN now, if you have one
	ssh -v user@testhost

	# it should work now

	bugs i encountered
	* DON'T try to use smartcard, if it is not connected. it will destroy scdaemon and you will either have to logout and login again or to do: "killall -9 scdaemon". this happens after reconnecting the smartcard:

	# gpg --card-status
	gpg: selecting openpgp failed: ec=6.108
	gpg: OpenPGP card not available: general error