GnuPG & OpenSSH

Srihari Vijayaraghavan sriharivijayaraghavan at yahoo.com.au
Wed Aug 22 15:41:54 CEST 2007


--- Werner Koch <wk at gnupg.org> wrote:
> On Mon, 20 Aug 2007 14:10, sriharivijayaraghavan at yahoo.com.au said:
> 
> > 1. Is it possible to have only one key pair (public & secret pref. DSA)
> that
> > can be used for both GPG & OpenSSH? (as a sys admin of some interest in
> > cryptography, this is an important question)
> 
> Yes.  However you want separate keys for separate tasks.  Fortunately
> OpenPGP provides just that: There is a primary key for certifying other
> keys (and subkeys) and subkeys for encryption, signing and
> authentication.  The authentication key may be used for SSH.

Thanks for the direction there.

I now have an 'authentication' subkey created. I've even extracted the SSH
compatible public key from the subkey using gpgkey2ssh (which I can propagate
to .ssh/authorized_keys of the remote machines).

I'm stuck on unable to understand how to integrate the secret key of the above
authentication subkey with gpg-agent (or ssh-agent for that matter though
gpg-agent is my preferred choice now :-)).

Just by observing things, I'd say I've two choices:
1. Extract the SSH compatible secret key from the authentication subkey
somehow; then use ssh-add to populate .gnupg/sshcontrol &
.gnupg/private-keys-v1.d/<keygrip>.key files. Naturally, I don't know how to
extract an SSH compatible key from the subkey to feed it to ssh-add, so I can
make no progress here.
2. Or by "other means" populate .gnupg/sshcontrol &
.gnupg/private-keys-v1.d/<keygrip>.key files. I've made no progress here
either for the lack of skill & knowledge.

I'd appreciate if a GnuPG expert can guide me with either one of the choices
above (or perhaps Smartcard's the only path suitable etc. as gpg-agent man
pages imply smartcard approach is capable of handling .gnupg/sshcontrol &
.gnupg/private-keys-v1.d/<keygrip>.key files 'automatically').

I also couldn't work out how to extract the keygrip id of a subkey (using gpg2
--fingerprint <subkeyid> OR gpg2 --edit-key <subkeyid> etc.). I suspect the
keygrip of a subkey might be the same as the primary key it's associated with.
Yes?

(If yes, then the next question is how to populate
.gnupg/private-keys-v1.d/<keygrip>.key with the right content :-).)

Thank you.

Srihari

PS: Indeed with gpg-agent I've struck a gold-mine ;-). Would be nice if I can
get the SSH integration using GPG subkey going somehow. I've some very useful
use for these ideas.



      ____________________________________________________________________________________
Sick of deleting your inbox? Yahoo!7 Mail has free unlimited storage.
http://au.docs.yahoo.com/mail/unlimitedstorage.html




More information about the Gnupg-users mailing list