GnuPG & OpenSSH

Srihari Vijayaraghavan sriharivijayaraghavan at
Tue Aug 21 13:51:32 CEST 2007

--- Werner Koch <wk at> wrote:
> On Mon, 20 Aug 2007 14:10, sriharivijayaraghavan at said:
> > 1. Is it possible to have only one key pair (public & secret pref. DSA)
> that
> > can be used for both GPG & OpenSSH? (as a sys admin of some interest in
> > cryptography, this is an important question)
> Yes.  However you want separate keys for separate tasks.  Fortunately
> OpenPGP provides just that: There is a primary key for certifying other
> keys (and subkeys) and subkeys for encryption, signing and
> authentication.  The authentication key may be used for SSH.

Good. Agreed it's a good idea to maintain a key per task (in fact in OpenSSH
automation side of things having a key pair per task does help a lot).

Question: when I did gpg2 --gen-keys (& ran through with the default
DSA/Elgamal keys), the 'authentication key' (that'd be suitable for SSH
authentication you're referring to) created by default? (or the DSA private
key be suitable for that purpose? I suspect so.)

Then the question is, now for the OpenSSH private key, how to extract/create
the said 'authentication key' that can be stored in ~/.ssh/id_dsa format for
SSH authentication?

(I've worked out the extraction of the SSH compatible public key from the GPG
using gpgkey2ssh tool, so ~/.ssh/ is taken care of. Alas, gpg2
--list-public-keys and --list-secret-keys gives the same ID for both public &
secret keys.)

Or is there a trick involved in gpg-agent directly handling private key needed
for SSH client somehow? (by only propagating the gpgkey2ssh extracted public
key to .ssh/authorized_hosts of the remote machines)


Get the World's number 1 free email service.

More information about the Gnupg-users mailing list