gpgkey2ssh and Ed25519 key
NIIBE Yutaka
gniibe at fsij.org
Tue Dec 22 01:06:18 CET 2015
On 12/21/2015 09:28 AM, perillamint wrote:
> I'm having trouble setting up ssh auth using Ed25519 key.
When you configure your gpg-agent properly (for your key), you can use
the SSH tool of ssh-add with option -L to show your public key in SSH
format.
Thank you for using new feature. I know that gpgkey2ssh is still
useful in some cases, but I think that you don't need it because we
can use 'ssh-add -L'.
Here is an example session to configure GnuPG for Ed25519 key. In
this example, I'm adding an authentication subkey for me. Here we go.
I invoke gpg 2.1.x with --edit-key option specifying my name.
An option of --expert is required for Ed25519 key, since it's
not yet in the OpenPGP standard.
$ gpg2 --expert --edit-key gniibe
gpg (GnuPG) 2.1.10; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa2048/4CA7BABE
created: 2010-10-15 expires: never usage: SC
card-no: F517 00000001
trust: ultimate validity: ultimate
ssb rsa2048/084239CF
created: 2010-10-15 expires: never usage: E
card-no: F517 00000001
ssb rsa2048/5BB065DC
created: 2010-10-22 expires: never usage: A
card-no: F517 00000001
[ultimate] (1). NIIBE Yutaka <gniibe at fsij.org>
[ultimate] (2) NIIBE Yutaka <gniibe at debian.org>
These are my keys (on smartcard, in this case). I'm adding a subkey
of Ed25519 by the subcommand of "addkey".
gpg> addkey
Secret parts of primary key are stored on-card.
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 11
I select "(11) ECC (set your own capabilities)" for authentication
key. Then, put the capability of "Authenticate"...
Possible actions for a ECDSA key: Sign Authenticate
Current allowed actions: Sign
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Removed "Sign" capability, by typing "s" and RETURN.
Possible actions for a ECDSA key: Sign Authenticate
Current allowed actions:
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? a
Added "Authenticate" capability, by typing "a" and RETURN.
Possible actions for a ECDSA key: Sign Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
Done (by typing "q" and RETURN). Then, selection of the Curve...
Please select which elliptic curve you want:
(1) Curve 25519
(2) NIST P-256
(3) NIST P-384
(4) NIST P-521
(5) Brainpool P-256
(6) Brainpool P-384
(7) Brainpool P-512
Your selection? 1
I selected "(1) Curve 25519" by typing "1" and RETURN. The name would
be confusing, but this is the curve for Ed25519.
gpg: WARNING: Curve25519 is not yet part of the OpenPGP standard.
Use this curve anyway? (y/N) y
Yup, we know. Confirmed by typing "y" and RETURN.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
Answered "y", more times. Then, I was asked for passphrase (two
times, not shown). I inputted it by pinentry.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa2048/4CA7BABE
created: 2010-10-15 expires: never usage: SC
card-no: F517 00000001
trust: ultimate validity: ultimate
ssb rsa2048/084239CF
created: 2010-10-15 expires: never usage: E
card-no: F517 00000001
ssb rsa2048/5BB065DC
created: 2010-10-22 expires: never usage: A
card-no: F517 00000001
ssb ed25519/9E350F4D
created: 2015-12-21 expires: never usage: A
[ultimate] (1). NIIBE Yutaka <gniibe at fsij.org>
[ultimate] (2) NIIBE Yutaka <gniibe at debian.org>
OK, I have the subkey of ed25519/9E350F4D. Good.
gpg> save
Saved. We need the keygrip of this subkey to configure gpg-agent for
the SSH key. I invoke the gpg to see the keygrip:
$ gpg2 --with-keygrip --list-keys gniibe
pub rsa2048/4CA7BABE 2010-10-15
Keygrip = 101DE7B639FE29F4636BDEECF442A9273AFA6565
uid [ultimate] NIIBE Yutaka <gniibe at fsij.org>
uid [ultimate] NIIBE Yutaka <gniibe at debian.org>
sub rsa2048/084239CF 2010-10-15
Keygrip = 65F67E742101C7FE6D5B33FCEFCF4F65EAF0688C
sub rsa2048/5BB065DC 2010-10-22
Keygrip = 5D6C89682D07CCFC034AF508420BF2276D8018ED
sub ed25519/9E350F4D 2015-12-21
Keygrip = 308EB1096486CF3694380875EDC4C2C9973CB000
OK, the keygrip for ed25519/9E350F4D (my Ed25519 key) is:
308EB1096486CF3694380875EDC4C2C9973CB000
I put it in ~/.gnupg/sshcontrol. If done by command-line, it would be:
$ echo 308EB1096486CF3694380875EDC4C2C9973CB000 >> ~/.gnupg/sshcontrol
Well, I did edit the file by Emacs, though. Then, invoke
gpg-connect-agent to reload the file (of sshcontrol).
$ gpg-connect-agent RELOADAGENT /bye
OK
Let's see if gpg-agent knows the new key. I invoke ssh-add -L:
$ ssh-add -L
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC/XqCK831odBl7Po174AExdRlOcyNSCKfJR18Mrxi8LnKwyjDgGH7Z29Qm4XyZvnLkJvSLcYiSx46iDMWbIYH7w1Or57kp/sUzdlj6clmlV8zklVthppYWpFd+x6Qif9CndRKcPr9S1+tbAIlU5k42RG90XnhEQF1/V3MR01mG0Ey9xBAIoHizZKX5XAjPheVGdDyZERB7Zry3e8kDrU+OjsVTjzq7oXtCE7EwI5c+pBQdF8qfXZC35nAizu0oqQEBne5MsF9ZIBaY/D+hhXVV51oyyCEwNGTr8Ol6KXKK7MWhf16gd0zjulwvO9xH88Q0n1eYur3plH+BZVjXOQPr
cardno:F51700000001
ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIL3u/YlGa9VfB/QdWCv8hOTonLpEoKoci2pCm/uI/XT7 (none)
OK, it is registered now (along with my old RSA key). We can see that
it's shorter than the one of RSA.
I'm putting this new key to my remote host where I already have my RSA
public key.
$ ssh-copy-id MY-REMOTE-HOST
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new
key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if
you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '******.****.***'"
and check to make sure that only the key(s) you wanted were added.
OK, done. My public key of ed25519/9E350F4D is registered onto the
~/.ssh/authorized_key of the remote machine. I'm login-ing into the
machine to confirm my new key really works (removing my token which
has RSA keys)...
gniibe at OrangePI:~$
Yes, I'm using Orange Pi PC these days.
--
More information about the Gnupg-users
mailing list