Identifying one of multiple authentication subkeys

Peter Lebbing peter at digitalbrains.com
Sat Mar 16 11:11:57 CET 2019 

Hi Brian,

On 15/03/2019 23:28, Brian Exelbierd wrote:> Hi,
> Either way, I am unsure how to identify which subkey is which SSH key.

Provided the auth keys are in your .gnupg/sshcontrol file, the following
will help:

--8<---------------cut here---------------start------------->8---
$ ssh-add -L | head -1 >firstkey

$ ssh-keygen -l -E md5 -f firstkey 
2048 MD5:69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96 /home/peter/.ssh/id_rsa (RSA)

$ gpg-connect-agent 
> help keyinfo
# KEYINFO [--[ssh-]list] [--data] [--ssh-fpr] [--with-ssh] <keygrip>
# 
# Return information about the key specified by the KEYGRIP.  If the
# key is not available GPG_ERR_NOT_FOUND is returned.  If the option
# --list is given the keygrip is ignored and information about all
# available keys are returned.  If --ssh-list is given information
# about all keys listed in the sshcontrol are returned.  With --with-ssh
# information from sshcontrol is always added to the info. Unless --data
# is given, the information is returned as a status line using the format:
# 
#   KEYINFO <keygrip> <type> <serialno> <idstr> <cached> <protection> <fpr>
# 
# KEYGRIP is the keygrip.
# 
# TYPE is describes the type of the key:
#     'D' - Regular key stored on disk,
#     'T' - Key is stored on a smartcard (token),
#     'X' - Unknown type,
#     '-' - Key is missing.
# 
# SERIALNO is an ASCII string with the serial number of the
#          smartcard.  If the serial number is not known a single
#          dash '-' is used instead.
# 
# IDSTR is the IDSTR used to distinguish keys on a smartcard.  If it
#       is not known a dash is used instead.
# 
# CACHED is 1 if the passphrase for the key was found in the key cache.
#        If not, a '-' is used instead.
# 
# PROTECTION describes the key protection type:
#     'P' - The key is protected with a passphrase,
#     'C' - The key is not protected,
#     '-' - Unknown protection.
# 
# FPR returns the formatted ssh-style fingerprint of the key.  It is only
#     printed if the option --ssh-fpr has been used.  It defaults to '-'.
# 
# TTL is the TTL in seconds for that key or '-' if n/a.
# 
# FLAGS is a word consisting of one-letter flags:
#       'D' - The key has been disabled,
#       'S' - The key is listed in sshcontrol (requires --with-ssh),
#       'c' - Use of the key needs to be confirmed,
#       '-' - No flags given.
# 
# More information may be added in the future.
OK
> keyinfo --ssh-list --ssh-fpr
S KEYINFO ECBEA361DD2230F79F086E3CAE198EB94A0CE6CF D - - - P 69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96 - S
S KEYINFO 64711FCE432F5387CCDD5E466513387B63096989 D - - - P c1:34:c6:23:f7:d5:64:fb:49:7a:d3:53:db:d1:87:64 - S
OK
> 
--8<---------------cut here---------------end--------------->8---

ssh-add was used to export the first key in the agent to a file.
ssh-keygen can produce an MD5 fingerprint for that file for you.

You can match the MD5 fingerprint to the 7th field of KEYINFO. Then the
1st field will give you the keygrip of that SSH key.

If your auth keys are for some reason not in sshcontrol, you could use

--8<---------------cut here---------------start------------->8---
$ gpg-connect-agent 'KEYINFO --list --ssh-fpr' /bye | fgrep 69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96
S KEYINFO ECBEA361DD2230F79F086E3CAE198EB94A0CE6CF D - - - P 69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96 - -
--8<---------------cut here---------------end--------------->8---

because it wouldn't be much fun wading through all your keys if you have
a lot of key material, and that command without the grep will list it all.

(By the way, as you can see in the ssh-keygen output, my key actually
has a comment field in the gpg-agent. It was imported from an on-disk
OpenSSH file, that's where it came from. I don't know a way to have a
comment field for a key generated with gpg, although I could probably
hack it in in the private key store. Let's not do that.)

HTH,

Peter.

PS: I see no reason why you shouldn't have multiple auth subkeys, unlike
John Doe.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190316/968566a8/attachment.sig>

More information about the Gnupg-users mailing list