GnuPG & OpenSSH

Srihari Vijayaraghavan sriharivijayaraghavan at
Wed Aug 22 15:41:54 CEST 2007

--- Werner Koch <wk at> wrote:
> On Mon, 20 Aug 2007 14:10, sriharivijayaraghavan at said:
> > 1. Is it possible to have only one key pair (public & secret pref. DSA)
> that
> > can be used for both GPG & OpenSSH? (as a sys admin of some interest in
> > cryptography, this is an important question)
> Yes.  However you want separate keys for separate tasks.  Fortunately
> OpenPGP provides just that: There is a primary key for certifying other
> keys (and subkeys) and subkeys for encryption, signing and
> authentication.  The authentication key may be used for SSH.

Thanks for the direction there.

I now have an 'authentication' subkey created. I've even extracted the SSH
compatible public key from the subkey using gpgkey2ssh (which I can propagate
to .ssh/authorized_keys of the remote machines).

I'm stuck on unable to understand how to integrate the secret key of the above
authentication subkey with gpg-agent (or ssh-agent for that matter though
gpg-agent is my preferred choice now :-)).

Just by observing things, I'd say I've two choices:
1. Extract the SSH compatible secret key from the authentication subkey
somehow; then use ssh-add to populate .gnupg/sshcontrol &
.gnupg/private-keys-v1.d/<keygrip>.key files. Naturally, I don't know how to
extract an SSH compatible key from the subkey to feed it to ssh-add, so I can
make no progress here.
2. Or by "other means" populate .gnupg/sshcontrol &
.gnupg/private-keys-v1.d/<keygrip>.key files. I've made no progress here
either for the lack of skill & knowledge.

I'd appreciate if a GnuPG expert can guide me with either one of the choices
above (or perhaps Smartcard's the only path suitable etc. as gpg-agent man
pages imply smartcard approach is capable of handling .gnupg/sshcontrol &
.gnupg/private-keys-v1.d/<keygrip>.key files 'automatically').

I also couldn't work out how to extract the keygrip id of a subkey (using gpg2
--fingerprint <subkeyid> OR gpg2 --edit-key <subkeyid> etc.). I suspect the
keygrip of a subkey might be the same as the primary key it's associated with.

(If yes, then the next question is how to populate
.gnupg/private-keys-v1.d/<keygrip>.key with the right content :-).)

Thank you.


PS: Indeed with gpg-agent I've struck a gold-mine ;-). Would be nice if I can
get the SSH integration using GPG subkey going somehow. I've some very useful
use for these ideas.

Sick of deleting your inbox? Yahoo!7 Mail has free unlimited storage.

More information about the Gnupg-users mailing list