OpenPGP smartcard - authentication key

Werner Koch wk at
Tue May 3 15:44:32 CEST 2005

On Tue, 03 May 2005 14:56:45 +0200, Wolfgang Rosenauer said:

> I've tried gpg -a --export KEYID but I'm not sure if this is the
> correct format for SSH usage.

No, it is not.  What you export with this is the entire OpenPGP Key
with primary key, UserIDs and subkeys.  And well, it is still an
OpenPGP key.  We do have all the code required spreaded around in
different modules and thus it will be easy to write a converter; it
just needs to get done.

Moritz, would you mind to write such a tool?  I suggest to base it on
the code to read card version 1.0 keys in scdaemon and the ssh code
from the agent.  Put this under gnupg/tools/.

 $ foo <keyid_of_key>
shall print the key in SSH format.  Print an error if this key is not
suitable for authentication.

> The other thing is (more an OpenSSH question) how to tell openssh to
> use the key from the card?

This is easier: Just install gnupg 1.9.16, read the manual of the
scdaemon and gpg-agent and enable ssh-support.  Works very well,
unless you want to use the reader aso with gnupg 1.4 - this won't work
becuase scdaemon/gpg-agent have exclusive access to the reader. I am
working on this; it will need changes in scdaemon and gpg 1.4.



More information about the Gnupg-users mailing list