gpg-agent, authentication key, and ssh
Werner Koch
wk at gnupg.org
Thu Jul 25 16:55:16 CEST 2013
On Tue, 23 Jul 2013 06:34, matt at 0x01b.net said:
> As I understand it, I can create an authentication subkey and use some utility
> to convert that to an ssh key. If this conversion is possible, then why can't
> the gpg-agent consider private auth (sub)keys along with ssh keys loaded via
> the SSH_AUTH_SOCK protocol?
It does this if the authkey is on a smart-card.
We can't further automate this because the gpg-agent protocol requires
that gpg-agent tells ssh all available keys so that ssh can ask the
server whether it is willing to accept a certain key. With the dozens of
auth-keys in a keyring this is a privacy problem and a performance
problem.
So what we require is that non-smartcard keys to be used with ssh are
listed in ~/.gnupg/sshcontol . With GnuPG 2.1 the whole thing will
become easier because the gpg-agent has direct access to all private
keys and thus there is no more need to consult gpg to convert the
non-smartcard keys. This will actually allow to write a small GUI to
maintain the sshcontrol file.
> Also, out of curiosity... Would it be possible to multiplex the GPG_AGENT_INFO
> protocol with SSH_AUTH_SOCK? Damien Miller of OpenSSH has talked about unix
> socket forwarding [0], but nothing has come of it. I think it'd be a big win
In theory yes. If you want to try: gpg-agent 2.1 can use TCP instead of
a local socket to accept connection from gpg. It is a debugging aid
because there is no security - tunneling this via ssh would give you
this security.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list