Using GPG for user authentication in ssh

Alexandre Dulaunoy adulau at foo.be
Tue Oct 15 10:59:01 CEST 2002


On Mon, 14 Oct 2002, Joel N. Weber II wrote:

> I've looked a bit at the question of how one would go about supporting
> the use of GPG for user authentication in ssh.
[..]
> 
> But maybe there are other ways of handling this and or looking at what
> should happen, I'm not quite sure.  I think if I do write code to
> support GPG user authentication, it likely won't be all that soon.

I have asked the same question in the OpenSSH dev-list. 

There is already  a patch (I don't know the  quality and the usability
of it) :

 http://www.red-bean.com/~nemo/openssh-gpg/

The proprietary version of ssh (ssh.com) is doing like that :

Quote from the Documentation : 

"""
 SSH  Secure Shell  only supports  the  OpenPGP standard  and the  PGP
 programs  conforming   to  it.  GnuPG   is  used  in   the  following
 instructions. If  you use PGP, the  only difference is  that the file
 extension is pgp instead of GnuPGP's gpg. 

   1. To make sure that user public-key authentication is enabled, the
      AllowedAuthentications field  both in the /etc/ssh2/sshd2_config
      file  on  Remote and  the  /etc/ssh2/ssh2_config  file on  Local
      should contain the word publickey:

AllowedAuthentications publickey

      Other authentication methods can  be listed in the configuration
      file as well. 
   2. Copy  your  private  key   ring  (secring.gpg)  to  the  ~/.ssh2
      directory on Local. 
   3. Create an identification file in your ~/.ssh2 directory on Local
      if you do  not already have one. Add the  following lines to the
      identification file:

PgpSecretKeyFile <filename of the user's private key ring>
IdPgpKeyName <name of the OpenPGP key in PgpSecretKeyFile>
IdPgpKeyFingerprint <fingerprint of OpenPGP key in PgpSecretKeyFile>
IdPgpKeyId <id of the OpenPGP key in PgpSecretKeyFile>

   4. Copy your public key ring (pubring.gpg) to the ~/.ssh2 directory
      on Remote

scp2 pubring.gpg user at remote_host:.ssh2

   5. Create  an  authorization  file  in your  ~/.ssh2  directory  on
      Remote. Add the following lines to the authorization file:

PgpPublicKeyFile <filename of the user's public key ring>
PgpKeyName <name of the OpenPGP key>
PgpKeyFingerprint <fingerprint the OpenPGP key>
PgpKeyId <id of the OpenPGP key>

   6. Now  you should  be able  to login  to Remote  from  Local using
      Secure Shell. Try to login:

Local>ssh Remote
Passphrase for pgp key "user (comment) <user at Local>":

      After you have entered the  passphrase of your PGP key, a Secure
      Shell connection will be established. 

"""

I think  this will really useful  to integrate something  like that in
OpenSSH. 

adulau

-- 
			      Alexandre Dulaunoy -- http://www.foo.be/
  3B12 DCC2 82FA 2931 2F5B 709A 09E2 CD49 44E6 CBCD  ---   AD993-6BONE
"People who fight may lose.People who do not fight have already lost."
							Bertolt Brecht







More information about the Gnupg-devel mailing list