Expired GPG key for ssh authentication

Andrew Gallagher andrewg at andrewg.com
Sun Jan 29 15:18:08 CET 2017

> On 29 Jan 2017, at 10:39, Marko Bauhardt <marko.bauhardt at mailbox.org> wrote:
> Now one year later. My ssh subkey is expired. But i’m still able to login into my ssh-server. 
> My assumption was that i can use this subkey only if this key is valid. Is the expired key working because i’m using the ssh-agent instead of the gpg-agent?

It is still working because the remote ssh server has no concept of key expiry. When you converted your auth subkey to ssh format you stripped all the expiry info from it. (There is the related problem of your client offering the expired key to the server, but this is relatively harmless). 

If you want your ssh key to stop working when the auth subkey expires, you need to make sure to run monkeysphere on a regular basis (cron) on the remote server, to refresh the authorized_keys and thereby overwrite any ssh keys associated with expired pgp keys. Ssh keys themselves do not expire. 

See: http://web.monkeysphere.info/doc/ssh-user-authentication/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170129/22e3ffec/attachment.html>

More information about the Gnupg-users mailing list