gnupg as ssh-agent

Daniel Kahn Gillmor dkg at
Mon Jul 20 23:22:52 CEST 2009

On 07/17/2009 08:40 PM, Alex Mauer wrote:
> Daniel Kahn Gillmor wrote:
>> If you have an authentication-capable subkey on your OpenPGP key, you
>> might be interested in monkeysphere (,
>> which has some tools for importing authentication-capable RSA subkeys
>> into a running ssh-agent.
> Why is it that GnuPG can expose an authentication-capable subkey from an
> OpenPGP smartcard via OpenSSH, but can't expose an
> authentication-capable subkey from its keyring?

I haven't been able to get the one OpenPGP smartcard i've fooled around
with to work (maybe i have a crappy reader), so i can't comment on
whether GnuPG can actually expose that through it's ssh-agent emulation.

The monkeysphere package i described above actually *can't* send a key
from the GPG smartcard through to a separate (non-gpg-agent) ssh-agent,
though -- it extracts the relevant subkey, transforms its RSA key
material to a form that ssh-agent can read, and hands it off directly.

> Or can it, but I'm doing something completely wrong?

I've never been able to convince gpg-agent to treat a gpg key as key for
ssh-agent myself, but perhaps Werner or David can comment on whether
that's actually possible or intended.  I agree it would be a useful
feature, but i prefer OpenSSH's ssh-agent implementation over the
gpg-agent implementation of the same protocol.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090720/e8f5ab86/attachment.pgp>

More information about the Gnupg-users mailing list