using an expired GPG key with ssh
stebe at mailbox.org
stebe at mailbox.org
Tue Feb 16 03:54:46 CET 2016
Hi Marko,
Marko Bauhardt:
> Hi,
> i plan to use my GPG authentication key to do a login via ssh onto my server.
> I tried monkeysphere to convert my GPG key to a ssh key, and adding the key to the ssh-agent. Everything works as expected.
>
> But the question i have is, will `ssh-add` or `monkeysphere subkey-to-ssh-agent` will fail when my GPG subkey is expired?
> Has anyone experience with GPG and ssh authentication?
> Should i use the gpg-agent instead of the ssh-agent?
according to monkeysphere(7) to be found in /usr/share/man/man7,
monkeysphere subkey-to-ssh-agent will fail.
Quote (using nroff):
The monkeysphere commands work from a set of user IDs to deter‐
mine acceptable keys for ssh and TLS authentication. OpenPGP
keys are considered acceptable if the following criteria are met:
The key must have the ‘authentication’ (‘a’) usage flag set. The
key itself must be valid, i.e. it must be well‐formed, not ex‐
pired, and not revoked. The relevant user ID must be signed by a
trusted identity certifier.
As ssh-add arguments are being invoked from monkeysphere
subkey-to-ssh-agent (as additional parameters) this ssh-add would fail, too.
According to the gnupg.info manual it is possible to use the gpg.agent
"as a drop-in replacement" for the ssh-agent (and I'd prefer doing
that), if you run
gpg-agent --daemon --enable-ssh-support \
--write-env-file "${HOME}/.gpg-agent-info"
when starting a session and no gpg.agent is already running.
(see chapter 2 Invoking GPG Agent, 2.2 Option Summary
(--enable-ssh-support), in the gnupg.info manual, for a detailed
explanation)
HTH
Stebe
More information about the Gnupg-users
mailing list