#openpgp #ssh #card #agent #pgp #gpg #ssh-agent

app openpgp-card-ssh-agent

A simple ssh-agent backed by OpenPGP card authentication keys

7 releases

0.1.6 Mar 12, 2023
0.1.5 Mar 11, 2023
0.1.4 Aug 27, 2022

#136 in Authentication

23 downloads per month


318 lines

Simple (experimental) standalone SSH Agent for OpenPGP cards

crates-io-badge status-badge

This is a simple SSH agent that uses keys on OpenPGP cards. The cards are accessed via PC/SC (e.g. via pcscd).

The agent supports RSA 2048/4096, NIST P-256/384/521 and Curve 25519 keys. The agent doesn't currently persist card identities or PINs.


$ cargo install openpgp-card-ssh-agent


$ openpgp-card-ssh-agent -H unix://$XDG_RUNTIME_DIR/ocsa.sock


List the available cards, e.g. with the opgpcard tool:

$ opgpcard list
Available OpenPGP cards:

If you don't see your card, it's possible that GnuPG is blocking it. The easiest way to work around this is to unplug and replug the card.

(With recent versions of GnuPG, you might consider configuring scdaemon to access PC/SC in shared mode).

Set the SSH_AUTH_SOCK environment variable:

$ export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/ocsa.sock

After freshly starting the agent, you need to add your card(s) to the agent once:

$ ssh-add -s FFFE:01234567

Enter the User PIN to the card (e.g. 123456). The agent will verify the User PIN. If the PIN is OK, it will remember both the card ident and the User PIN.

After adding a card, regular ssh usage backed by the authentication key slot on that card will work:

$ ssh <hostname>

Notifications for touch confirmation

This SSH agent uses the notify-rust crate to alert the user if touch confirmation is required by the card.


This project is based very heavily on work by Wiktor Kwapisiewicz wiktor@metacode.biz, at https://gitlab.com/sequoia-pgp/ssh-agent-pks


~585K SLoC