step-cli doesn't support gpg-agent

[weaversam8]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

When using step CLI's SSH certificate functionality (namely proxycommand) with a non-vanilla SSH agent, like gpg-agent, step CLI fails to read the certificate from the agent, forcing the CLI to request a new certificate every authentication attempt.

Why is this needed?

Some users use gpg-agent instead of the default ssh-agent (usually for smartcard support.)

Potential workaround

I worked around this issue by taking the following approach:

• Configure my shell to start a vanilla ssh-agent process on launch (or find the existing one) and,
• Store the socket for that agent in an environment variable different from SSH_AUTH_SOCK (like SSH_AUTH_SOCK_VANILLA)
• Configure my SSH config to use that environment variable during proxycommand invocation:

  ProxyCommand bash -c "SSH_AUTH_SOCK=$SSH_AUTH_SOCK_VANILLA step ssh proxycommand [...]"
  

• Configure my SSH config to use that environment variable for the IdentityAgent parameter:

  IdentityAgent $SSH_AUTH_SOCK_VANILLA
  

[maraino]

Hi @ weaversam8, AFAIK gpg-agent does not support ssh certificates, there might be some workarounds, but I'm not sure if they work. See https://dev.gnupg.org/T1756