GnuPG & OpenSSH

Srihari Vijayaraghavan sriharivijayaraghavan at yahoo.com.au
Tue Aug 21 13:40:47 CEST 2007 

--- Moritz Schulte <mo at g10code.com> wrote:
> 
> > 1. Is it possible to have only one key pair (public & secret pref. DSA)
> that
> > can be used for both GPG & OpenSSH? (as a sys admin of some interest in
> > cryptography, this is an important question)
> 
> Uhm, possible...  sure, why not.   I just don't  know right now  how one
> would achive that.

It's not a crazy idea then :-). It'd be nice to discover how to achieve this
though (if at all possible).

> > 2. Is gpg-agent, SSH agent service provided by GPG etc. somehow useful
> only
> > when one has a card reader? Or put it other way, is it useful even when
> one
> > has no card reader?
> 
> gpg-agent supports the  ssh-agent protocol and can be  used as a drop-in
> replacement.    It's  definitely   useful   without  smartcard   reader.
> Supporting the smartcard out-of-the-box is an addon.

Thanks for that. On that note, I spent a few hours on gpg-agent & getting it
to look after my SSH private keys (with individual pass-phrases etc.). All
looking good. Wonderful.
 
> > 3. Am I missing a simple 'GPG/OpenSSH unification for dummies' (dummies
> like
> > me :-)) with a few solid examples on unifying GPG (keys - including
> exporting
> > GPG public key to add into .ssh/authorized_keys, gpg-agent) with OpenSSH
> > client side?
> 
> I don't know about such a  document.  But, the gpg-agent thing is rather
> simple:  add   "enable-ssh-support"  to  your   gpg-agent.conf  (or  use
> --enable-ssh-support).  Then, gpg-agent will not only set GPG_AGENT_INFO
> in the  environment, but also e.g. SSH_AUTH_SOCK.   "ssh-add <key file>"
> can be used to introduce ssh keys to the gpg-gent.  Note: this does only
> need to be  done ONCE!  gpg-agent will not simply  forget added ssh keys
> when you  restart it  (like ssh-agent).   The key is  ready to  use now.
> Whenever  the passphrase  for the  key is  required, gpg-agent  fires up
> pinentry to retrieve the passphrase.
>
> Hope that helps,

Indeed, it greatly helped me in understanding the mental picture of what was
going on in gpg-agent :-). Thank you for that.

> moritz

Srihari 



      ____________________________________________________________________________________
Get the World's number 1 free email service.
http://mail.yahoo.com.au

More information about the Gnupg-users mailing list