GnuPG & OpenSSH
sriharivijayaraghavan at yahoo.com.au
Tue Aug 21 13:40:47 CEST 2007
--- Moritz Schulte <mo at g10code.com> wrote:
> > 1. Is it possible to have only one key pair (public & secret pref. DSA)
> > can be used for both GPG & OpenSSH? (as a sys admin of some interest in
> > cryptography, this is an important question)
> Uhm, possible... sure, why not. I just don't know right now how one
> would achive that.
It's not a crazy idea then :-). It'd be nice to discover how to achieve this
though (if at all possible).
> > 2. Is gpg-agent, SSH agent service provided by GPG etc. somehow useful
> > when one has a card reader? Or put it other way, is it useful even when
> > has no card reader?
> gpg-agent supports the ssh-agent protocol and can be used as a drop-in
> replacement. It's definitely useful without smartcard reader.
> Supporting the smartcard out-of-the-box is an addon.
Thanks for that. On that note, I spent a few hours on gpg-agent & getting it
to look after my SSH private keys (with individual pass-phrases etc.). All
looking good. Wonderful.
> > 3. Am I missing a simple 'GPG/OpenSSH unification for dummies' (dummies
> > me :-)) with a few solid examples on unifying GPG (keys - including
> > GPG public key to add into .ssh/authorized_keys, gpg-agent) with OpenSSH
> > client side?
> I don't know about such a document. But, the gpg-agent thing is rather
> simple: add "enable-ssh-support" to your gpg-agent.conf (or use
> --enable-ssh-support). Then, gpg-agent will not only set GPG_AGENT_INFO
> in the environment, but also e.g. SSH_AUTH_SOCK. "ssh-add <key file>"
> can be used to introduce ssh keys to the gpg-gent. Note: this does only
> need to be done ONCE! gpg-agent will not simply forget added ssh keys
> when you restart it (like ssh-agent). The key is ready to use now.
> Whenever the passphrase for the key is required, gpg-agent fires up
> pinentry to retrieve the passphrase.
> Hope that helps,
Indeed, it greatly helped me in understanding the mental picture of what was
going on in gpg-agent :-). Thank you for that.
Get the World's number 1 free email service.
More information about the Gnupg-users