gpgkey2ssh

Werner Koch wk at gnupg.org
Fri Oct 22 10:02:55 CEST 2010


On Fri, 22 Oct 2010 03:58, aaron.toponce at gmail.com said:
> First, there is _ZERO_ documentation for this binary. No manual, no info
> page, nothing under /usr/share/doc/, segfaults pasing "-h" or "--help".

Ah well, it should be removed from the package.  It used to be a kind of
debug tool but I never used it in all these years.  The plan was to
replace it with a special export option:

  gpg2 --export-options export-sexp-format --export-secret-key KEYID

but that has never been fully implemented.  The forthcoming GnuPG 2.1
makes it obsolete.

> of me. Correct me if I'm wrong, but I should be able to add this
> identity to the running SSH agent through "ssh-add", no? Here's the

No.  It the other way around.

The whole point of the ssh support is to replace ssh-agent: gpg-agent if
started with the option --enable-ssh-support implements the
ssh-agent-protocol and thus works with ssh and ssh-add.

With a running gpg-agent you can do

  ssh-add

and gpg-agent imports the key into its own private key database.  After
you have done that you may remove the private keys from .ssh/.  IF you
later run

  ssh-add -l

it will show you the ssh keys gpg-agent knows about.  To better control
this you may use the ~/.gnupg/sshcontrol file:

  `sshcontrol'
     This file is used when support for the secure shell agent protocol
     has been enabled (*note option --enable-ssh-support::). Only keys
     present in this file are used in the SSH protocol.  You should
     backup this file.

     The `ssh-add' tool may be used to add new entries to this file;
     you may also add them manually.  Comment lines, indicated by a
     leading hash mark, as well as empty lines are ignored.  An entry
     starts with optional whitespace, followed by the keygrip of the
     key given as 40 hex digits, optionally followed by the caching TTL
     in seconds and another optional field for arbitrary flags.  A
     non-zero TTL overrides the global default as set by
     `--default-cache-ttl-ssh'.

     The keygrip may be prefixed with a `!' to disable an entry entry.

     The following example lists exactly one key.  Note that keys
     available through a OpenPGP smartcard in the active smartcard
     reader are implicitly added to this list; i.e. there is no need to
     list them.

            # Key added on 2005-02-25 15:08:29
            5A6592BF45DC73BD876874A28FD4639282E29B52 0

If you want to use an existing gpg key with ssh you need a way to put it
into gpg-agent.  If you use smartcards then there is no need for this
because gpg-agent does that of its own.  *GnuPG 2.1* will make it really
easy to use an existing key for ssh:

  $ gpg2 --with-keygrip -K CD8687F6
  sec   1024D/CD8687F6 2006-01-17
        Keygrip = 21EB68B1FFA01EF777E2D0B1A92A2276D82C2F1C
  uid                  Heinrich Heine <heinrichh at duesseldorf.de>
  ssb   1024g/4ECFEF6F 2006-01-17
        Keygrip = 654EFA6F19DF08ABFEB88092BC4867D4C5A95460
  
Now you only need to put a line

21EB68B1FFA01EF777E2D0B1A92A2276D82C2F1C  0

into sshcontrol and gpg-agent offers the primary key CD8687F6 to ssh if
it asks for a list private key (check with ssh-add -l).



Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list