Is --export-ssh-key functionality possible with GnuPG 2.0?
Stephan Beck
stebe at mailbox.org
Thu Nov 24 17:51:00 CET 2016
Hi Teemu,
Teemu Likonen:
> Keys with authentication capability can be used with ssh, and GnuPG
> 2.1's command --export-ssh-key will export the ssh public key. Right?
Yes, --export-ssh-key has been introduced in gpg with release of version
2.1.11.
To set the whole thing up, a few more steps are necessary
(--enable-ssh-support in gpg.conf still is necessary AFAIK, but this is
the "new" export command.
>
> Unfortunately I have GnuPG 2.0.26 (as packaged in Debian 8). Can it be
> told to export ssh public keys?
Yes, but it's a bit more laborious in comparison to gpg >= 2.1.11
A) You do not use a smart card --> B) you use a smart card
A1) Install the monkeysphere package (1) that includes openpgp2ssh tool
A2) Export the secret subkey you'd like to use for ssh authentication
purposes and pipe it through openpgp2ssh
gpg2 --export-secret-subkeys \
--export-options export-reset-subkey-passwd [keyID!] | \
openpgp2ssh [keyID] > gpg-auth-keyfile
A3) Set correct permissions
chmod 0600 gpg-auth-keyfile
A4) Add the key to the agent
ssh-add gpg-auth-key-file
A4) Check that the key effectively is loaded
ssh-add -l
A5) Extract the *public* key for use in the ~/.ssh/authorized_keys file
ssh-add -L
OR
gpgkey2ssh [keyID]
B) You use a smart card and have it inserted
Transfer your secret authentication subkey to the smart card by typing first
B1) gpg2 --edit-key [keyID]
Toggle and select the correct subkey
B2) gpg> toggle
B3) key [N]
N depends on the number of subkeys and describes the position of the key
in the listing
B4) Transfer the authentication subkey to the card
gpg> keytocard
Select the correct slot of the card for the auth subkey to be stored
Usually, it's "3"
B5) Enter passphrase
B6) Enter your card ADMIN PIN
B7) gpg> save
Cheers
Stephan
List member Damien Goute-Gattat has an excellent write-up to be found at:
https://incenp.org/notes/2014/index.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161124/f32422b9/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161124/f32422b9/attachment-0001.sig>
More information about the Gnupg-users
mailing list