Is --export-ssh-key functionality possible with GnuPG 2.0?

[Peter Lebbing]

Stephan, thanks for helping out! I think I can improve a bit on one part
of it, though.

On 24/11/16 17:51, Stephan Beck wrote:
> A2) Export the secret subkey you'd like to use for ssh authentication
> purposes and pipe it through openpgp2ssh
> gpg2 --export-secret-subkeys \
>   --export-options export-reset-subkey-passwd [keyID!] | \
>   openpgp2ssh [keyID] > gpg-auth-keyfile
> 
> A3) Set correct permissions
> 
> chmod 0600 gpg-auth-keyfile

This leaves open a window where the file with your private key might be
world-readable.

The thing I usually do is this:

$ mkdir safe
$ chmod 700 safe
$ cd safe
$ [... do your stuff ...]
$ cd ..
$ rm -rf safe

The directory permissions prevent anyone from getting a handle for your
file. Even if the file is world-readable, nobody can get towards the
file. This is not true if you are on an NFS share, though!

The thing I would expect to actually be in the textbooks is a variation of:

$ OLD_UMASK=$(umask)
$ umask 0077
$ [... do your stuff ...]
$ umask $OLD_UMASK

The umask 0077 will create any new files with all access rights cleared
for group and world. This is your A2 and A3 folded into one, safely,
without a gap.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>