Gpg-agent under Windows as SSH Agent for git bash


gpg-agent has options "–enable-ssh-support" and "–enable-putty-support" that allows it to use it as a drop-in replacement for the well-known ssh-agent.

I've been pulling my hair out trying to figure out how exactly make this work in windows and git-bash. (Please don't suggest me to use putty because I have lots of scripts and other programs that require being worked with git bash and openssh in my windows pc machine, including PHPStorm etc)

My first attempt was having enable-ssh-support line in C:\Users\[user]\AppData\Roaming\gnupg\gpg-agent.conf file,

And export SSH_AUTH_SOCK=/c/users/[user]/AppData/Roaming/gnupg/S.gpg-agent.ssh line in /c/users/[user]/.bash_profile file. (also I have created a windows environment variable SSH_AUTH_SOCK with the value C:\Users\[username]\AppData\Roaming\gnupg\S.gpg-agent.ssh)

I have my GPG Secret key in the key ring, with authentication and encryption enabled subkeys.

and I added keygrip of authentication enabled subkey into the C:\Users\[user]\AppData\Roaming\gnupg\sshcontrol file.

Since GnuPG 2.2.4 comes with –export-ssh-key option so I don't need monkeysphere to convert the GPG key to OpenSSH format. so I exported my public key and I placed it in authorized_keys file in a remote Linux box with correct permissions (tested with another computer using putty).

Then I executed:
gpg-connect-agent killagent /bye and gpg-connect-agent /bye in PowerShell (and it started the gpg-agent running in background and created the S.gpg-agent.ssh SOCK file).

Then attempted to ssh into the server as the regular way.

And it gave me an error.

Then I tried enabling the putty support (enable-putty-support line in gpg-agent.conf allows you to enable putty support.

Also you need to create an enviornment variable in windows

Then I tried using OpenSSH that comes with chocolatey package manager too.

None of them worked as expected.

finally, I gave up on everything and attempted to connect just using putty and gpg-agent. I uninstalled git-bash too. Then I just attempted using GnuPG and Putty.

I allowed agent forwarding in putty ssh -> auth. then I tried to connect to the server, but It still asking for the password. gpg-agent doesn't forward the key, but it detects the gpg-agent as PAGEANT

Event log in putty:

2018-02-10 16:48:51 Connecting to port 22
2018-02-10 16:48:51 We claim version: SSH-2.0-PuTTY_Release_0.70
2018-02-10 16:48:52 Server version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
2018-02-10 16:48:52 We believe remote version has SSH-2 channel request bug
2018-02-10 16:48:52 Using SSH protocol version 2
2018-02-10 16:48:52 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
2018-02-10 16:48:53 Server also has ecdsa-sha2-nistp256/ssh-dss/ssh-rsa host keys, but we don't know any of them
2018-02-10 16:48:53 Host key fingerprint is:
2018-02-10 16:48:53 ssh-ed25519 256 1f:7b:5d:c4:b4:ae:5d:81:72:da:1d:c8:b2:cc:67:7b
2018-02-10 16:48:53 Initialised AES-256 SDCTR client->server encryption
2018-02-10 16:48:53 Initialised HMAC-SHA-256 client->server MAC algorithm
2018-02-10 16:48:53 Initialised AES-256 SDCTR server->client encryption
2018-02-10 16:48:53 Initialised HMAC-SHA-256 server->client MAC algorithm
2018-02-10 16:49:07 Pageant is running. Requesting keys.
2018-02-10 16:49:07 Pageant has 0 SSH-2 keys

Can you spot my problem?
In putty log

Best Answer

  • Let's take it step by step.

    1. Pageant has 0 SSH-2 keys

    This is blocking you right now. I assume that you the log reports pageant but you are actually running gpg-agent in the background. You may want to double check this before proceeding.

    Let's make sure the gpg-agent has loaded the key you need for ssh authentication.

    > gpg --version
    gpg (GnuPG) 2.1.21
    > gpg -k --with-keygrip
    sub   rsa4096/0x0123456789ABCDEF 2018-01-01 [A] [expires: 2019-01-01]
          Keygrip = 0123456789ABCDEF0123456789ABCDEF01234567
    > gpg-connect-agent "keyinfo --list" /bye
    S KEYINFO 0123456789ABCDEF0123456789ABCDEF01234567 T xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx OPENPGP.3 - - - - -

    This way you can confirm that your gpg-agent has the key you are expecting loaded. Next step would be to make sure server is requesting proper key.

    2. TBA