Using GnuPG 2.1 and SSH on OS X

This is the situation.

I’m a OSX user and I’ve been using GPG for a long time for email and just wanted to jump into do it for log in using SSH on the machines I need access to, avoiding typing password (BTW, you can do this editing your remote /.ssh/authorized_keys file and adding up your public SSH key) and increasing one layer of security.

After following some recommendations, I got a FST-01. This dude is a GnuPG USB token, who can store my private keys in a secure way. I have it with me wherever I go. But you need to instruct your computer to use the token and not your own local keys. I just followed this very well documented guide from Glenn Rempe but I did some tweaks to it:

* Because I just moved to MacOS Sierra.
* Because my beloved Homebrew now has GNUPG 2.1 included in the repository. You need this dude to make this magic happen.
* Because I use fish shell.

So, I’m assuming here you already set up your USB token. What I did it was somewhat similar to what is explained here, but I haven’t checked carefully. Maybe I should post about it later on.

Anyway, first of all you need to install this:

brew tap homebrew/versions
brew install gnupg21
brew install pinentry-mac

> Pinentry-mac is a tool will ask you for your secret pin to unlock your private keys on your token.

Then, you need to edit your ~/.gnupg/gpg-agent.conf file, to include both the location of pinentry-mac and to enable the ssh support as follows:


default-cache-ttl 600
max-cache-ttl 7200
pinentry-program /usr/local/bin/pinentry-mac
enable-ssh-support

I use this great fish shell. So, you need to instruct fish to load the .gnupg/S.gpg-agent.ssh in every fish session, editing your Fish config file (usually in .config/fish/config.fish) adding up one line to it. This is how my local config.fish looks file:


set -g -x PATH /usr/local/bin $PATH
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh

. ~/.config/fish/aliases.fish
. ~/.config/fish/prompt.fish

Remove your token and:


/usr/local/bin/gpgconf --kill gpg-agent && /usr/local/bin/gpgconf --launch gpg-agent

Then insert your token again. If everything is OK, running gpg2 --card-status it should show you the information within your token.

Now with ssh-add -L you should see displayed the public key coming from your token to be added to your remote /.ssh/authorized_keys. Now you may login with ssh user@remote-ip with your token and voilà.