Since gpg-agent isn't used for ssh authentication on Ubuntu, and there are indeed 2 different daemons vying for the job, it can get complicated to figure out how to untangle the distro and step the agent into his rightful position.
This is simple once you know exactly which knobs to frob; in this case there are 3:
- Tell Xsession initialization to not start ssh-agent
- Tell Gnome init not to start the gnome keyring
- Enable ssh agent emulation support on gpg-agent
Using gpg for encryption on Linux is an important way to store PKI keys in hardware-backed security modules like a Yubikey, or a more traditional smartcard. Using an agent is also an important way to securely make the authentication process more convenient.
After installing gnupg, the gpg-agent daemon (among others), tooling, and libraries will be on your system. These changes will bring that agent online for use. If you have your keys created, you've probably already installed the package. If not, there are plenty of great guides describing the process.
/etc/X11/Xsession.options
Allowing the ssh-agent daemon to run will interfere with running gpg-agent and its ssh agent capability.
Edit this file to change the line use-ssh-agent
to no-use-ssh-agent
.
This system is inherited from Debian (on which Ubuntu is based), where while looking for a good place to start the venerable ssh-agent daemon, the maintainers decided "during the X session initialization itself" would fit nicely. Changing that config option signals the initialization process to skip that step.
/etc/xdg/autostart/gnome-keyring-ssh.desktop
This file starts the gnome keyring, which will also interfere with gpg-agent.
Make a copy of this file to ~/.config/autostart/gnome-keyring-ssh.desktop
and add a line Hidden=true
to disable this autostart for your user account only.
~/.gnupg/gpg-agent.config
Create this if it doesn't exist, and add the line enable-ssh-support
.
Besides the agent and tools, the gnupg installation process also installs systemctl user units to manage these daemons via systemctl (see /usr/lib/systemd/user/gpg-agent.service
). Running $ systemctl --user status gpg-agent
will show the status of gpg-agent, while $ systemctl --user reload gpg-agent
can be used to have the daemon reload config changes.
There is also a unit gpg-agent-ssh.socket
which creates and mediates connections to the gpg-agent socket which speaks like ssh-agent. This means that the socket is always created, but the above setting causes the agent to listen on the socket and the SSH_AUTH_SOCK
environment variable–which ssh tools use to find the socket–to be appropriately set.
Finally
Since these daemons all get setup during the start of your login, simply log out of your X session and log back in to have everything working right without a restart (often ctrl-alt-backspace in gnome or mod+shift+e by default in i3wm).
Execute ssh-add -l
to see if your gpg keys are now available for ssh authentication.
A lot of other instructions out there have old or unnecessary steps, I found this was sufficient to get the setup working correctly.