I have a hard time figuring out how to configure SSH authentication using my GPG Smartcard. I have the following (NixOS & Home-Manager) configuration:
{ self, ... }: {
home-manager.users.mentos = {
programs.gpg = {
enable = true;
mutableKeys = false;
mutableTrust = false;
publicKeys = [
{
source = "${self}/static/gpg_pub.asc";
trust = "ultimate";
}
];
};
services.gpg-agent = {
enable = true;
enableSshSupport = true;
};
# Set environment variables
programs.fish.interactiveShellInit = ''
set -e SSH_AGENT_PID
set -x GPG_TTY (tty)
set -x SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket)
'';
};
# Enable Smartcard/Nitrokey
hardware.gpgSmartcards.enable = true;
hardware.nitrokey.enable = true;
users.users.mentos.extraGroups = [ "nitrokey" ];
}
After a reboot SSH_AUTH_SOCK
outputs /run/user/1000/keyring/ssh
.
After manually running set -x SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket)
, the variable outputs /run/user/1000/gnupg/S.gpg-agent.ssh
Also ssh-add -L
doesn’t have anything before I run the above command manually.
What the heck? Does my interactiveShellInit even run?!
Okay, but even after running it manually and my key showing up in ssh-add -L
I can’t connect to servers: sign_and_send_pubkey: signing failed ... agent refused operation
.
The ssh command takes a while tho, so I assume its interacting with the card already. (gpg --card-status
works btw)
My assumption is, that there is a issue with the pinentry not showing up. While tinkering with this config I sometimes got a (gtk2?) pinentry dialog where my cursor was a little black point and I couldn’t interact with the dialog. I’m on Gnome so the gnome3 pinentry flavor should be used automatically. But I also tried setting it explicitly, which didn’t make any difference.
I have no idea anymore at this point… SOS please help.