Identifying one of multiple authentication subkeys

Werner Koch wk at gnupg.org
Tue Mar 26 09:16:22 CET 2019


On Mon, 25 Mar 2019 16:02, peter at digitalbrains.com said:

> But something more user friendly to match SSH fingerprint and keygrip
> could be beneficial. I'm not sure what that would look like and neither

You can build a script based on this:

  $ gpg-connect-agent 'keyinfo --ssh-list --ssh-fpr' /bye
  S KEYINFO 1234[...] D - - - P SHA256:PtJi[...] - S
  [...]

This lists all keys allowed for ssh with its keygrip (1234. and the
corresponding ssh fingerprint (SHA256:PTJI).  Details as usual by using
'help keyinfo'.

> For one thing, OpenSSH seems to prefer SHA256 SSH fingerprints over the
> old MD5 ones now.

That is right and you can tell gpg-agent this by using

ssh-fingerprint-digest sha256

(I don't like the base64 encoding becuase it is hard to visual compare,
but that is how it is).  Note that while writing this I noticed that the
KEYINFO command always printed MD5 fingerprints.  I fixed that for
2.2.15 so that the above option is considered.  Further, it is also
possible to use

 keyinfo --ssh-list --ssh-fpr-md5
 keyinfo --ssh-list --ssh-fpr=sha1
 keyinfo --ssh-list --ssh-fpr=sha256

to select a certain fingerprint format independent of the option.


Salam-Shalom,

   Werner


p.s.  Eventually someone(tm) should write a GUI tool to list and manage
all kind of private keys in GnuPG.  For example to list all users of a
certain private key.

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190326/f8c66920/attachment.sig>


More information about the Gnupg-users mailing list