Using GPG Keys for SSH Authentication

Posted on Jun 15, 2024

Using GPG Keys for SSH Authentication: A Step-by-Step Guide

In this blog post, we will explore how to use GPG keys for SSH authentication. GPG (GNU Privacy Guard) keys offer an added layer of security compared to traditional SSH keys. We will cover the process of generating GPG keys, configuring them for SSH, and connecting to remote servers. Let’s dive in!

Introduction

SSH (Secure Shell) is a protocol used to securely connect to remote servers. Typically, SSH authentication uses key pairs: a private key stored on the client machine and a public key stored on the server. GPG keys can also be used for SSH authentication, leveraging GPG’s robust encryption capabilities and key management features.

Generating GPG Keys

First, let’s generate a GPG key pair if you don’t already have one. Open a terminal and run the following command:

gpg --full-generate-key

Follow the prompts to select key type, key size, and expiration date. For SSH authentication, an RSA key of at least 2048 bits is recommended.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1

Choose the key size:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096

Set the expiration date:

Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y

Provide your user information and a passphrase to protect your private key.

Configuring GPG Agent for SSH

To use GPG keys for SSH, you need to configure the GPG agent to act as an SSH agent. Add the following lines to your ~/.bashrc or ~/.zshrc file:

export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

Reload your shell configuration:

source ~/.bashrc
# or
source ~/.zshrc

Exporting the Public SSH Key

Next, export your GPG public key in a format suitable for SSH. Identify your GPG key ID:

gpg --list-secret-keys --keyid-format LONG

Look for the line starting with sec, and note the long key ID (a hexadecimal string). Then export the SSH public key:

gpg --export-ssh-key YOUR_KEY_ID

Replace YOUR_KEY_ID with your actual key ID. This command outputs your SSH public key, which you will need to add to the ~/.ssh/authorized_keys file on your remote server.

Configuring SSH to Use GPG Keys

Ensure your SSH client configuration is set to use the GPG agent. Edit (or create) the file ~/.ssh/config:

Host *
IdentityAgent ~/.gnupg/S.gpg-agent.ssh

This configuration tells SSH to use the GPG agent for all hosts.

Connecting to a Remote Server

To connect to a remote server, you need to add your GPG-generated SSH public key to the ~/.ssh/authorized_keys file on the server. First, copy your public key:

gpg --export-ssh-key YOUR_KEY_ID

Then, log in to your remote server and append the public key to the ~/.ssh/authorized_keys file:

echo "YOUR_PUBLIC_KEY" >> ~/.ssh/authorized_keys

Replace YOUR_PUBLIC_KEY with the output of the gpg –export-ssh-key command.

Now, you should be able to connect to your remote server using SSH with your GPG key:

ssh user@remote-server

Best Practices

Use a Strong Passphrase: Protect your GPG key with a strong, unique passphrase. Regularly Rotate Keys: Periodically generate new GPG keys and update your SSH configurations. Backup Your Keys: Securely backup your GPG keys and revocation certificates. Limit Key Usage: Use separate keys for different purposes (e.g., signing, encryption, SSH authentication). Monitor Key Usage: Regularly review your authorized keys and remove any that are no longer needed.

Conclusion

Using GPG keys for SSH authentication enhances your security by leveraging GPG’s advanced encryption and key management features. By following the steps outlined in this guide, you can configure your system to use GPG keys for SSH and adhere to best practices for secure key management. Happy secure connecting!