Cannot export SSH public key
Felix E. Klee
felix.klee at inka.de
Thu Nov 23 03:17:04 CET 2023
On Wed, Nov 22, 2023 at 8:57 PM Werner Koch <wk at gnupg.org> wrote:
> Here is the snippet from by ~/.bashrc
I have a similar config. Thank you for the detailed explanation!
Only the following line does not work right after autologin (default
with Ubuntu / WSL2), seems like something is not ready yet.
gpg-connect-agent updatestartuptty /bye
> What is in your ~/.gnupg/sshcontrol file?
It’s empty, with only comments at the top. I left it that way, and
proceeded as follows:
> Instead of putting this into sshcontrol you may also put them into the
> private-keys-v1.d/<KEYGRIP>.key file with a line:
>
> Use-for-ssh: yes
I added that to 0E67508AC6866D82ABB95E0B53CF5D18DC48A786.key, which is
my master key. But it still doesn’t work, see below.
Should I add a file with the authentication key instead?
> gpg --export-ssh-key
>
> Adds a comment with the keyid - is that one correct? Does it match what
> you see with
>
> ssh-add -L
Output:
$ gpg -k --with-keygrip yubikey at f76.eu
pub rsa4096 2023-06-29 [SC]
7A0FE73DDB744F0F97341DA71BE349D11B6ED589
Keygrip = 0E67508AC6866D82ABB95E0B53CF5D18DC48A786
uid [ultimate] Felix E. Klee (YubiKey) <yubikey at f76.eu>
sub rsa4096 2023-06-29 [E]
Keygrip = 07D6164F019D2EDF59C650992CF93776B2DD17F2
sub rsa4096 2023-11-22 [A]
Keygrip = 9C67E5BBB72EF0BF2625792F8F134CE4FD961FF5
$ gpg --export-ssh-key yubikey at f76.eu
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== openpgp:0x877CC64B
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpsX4nQnLh3SJDdIDkdX0DFY4c2uFu
6QJRPrXyub32Ae5SX+3rQnhj/7U8PGFG5LbRT8NVHMyxmoXAHda3wZ1Za3mTC8oWUPSz
dIlSgB7HrVNvmP0fvk0b1V9BOkBJrV6RMMNLEssiD9PCiI95z1+uEbxr9tZAJO/lDYnU
jhEK6PykBhQiJISHpWnWmE0qj+84wQ+/cEPJYnt4tgqLuFH+COFGBVuN6DDi6ubbDlCy
693UqQjWSNi1A34JmUKFOw5Kt0It3Qj3nNVdm8/hRiVZ84qPVbF1Vvp0gZ9k1sFg+3O9
LZYo0vZ73gLMx6AjO1A+Cqcef/e6O+aT+CVgINQ6oaDMyKtHkD7caflg8nPrmiVASxTe
nn51W3Uiu1wksrtEH2HCUcLXpMWKNTjjwpUUTSmMy4m069K5SENsjzsMsHiN2cTxdNu5
CufP1Q3XtGI4VCdW5ql0vgZMCPHIuXHLyFpz9scc2I68B8YnoMzzH0CDyLpjudBRlup+
BZD1g2xlCWB9f+43Oy+Ibf5wAW8/gjk5ly6fhQwB712GTHXNKpPl2ymXgtP2v0K48TE7
OsIfR0sBk2LbwuXr2tLB1WYgrNYs8YY83u/HC6RWHskrcIRq75ahcdeTu8Ukdz1VhAdL
sk25F529lMjW0CgshB9xvFxCwFzcGMmHniuMjoFN6Q== cardno:18 698 015
$ ssh-add -l
4096 SHA256:Pun8mwtl04HFOK8Z1LbCRZ/oQLgZDpkgNHU5/E1MM8I cardno:18 69
8 015 (RSA)
As you see, the public keys are different. `ssh-add -L` does not add the
key ID. So I’ve no idea what is going on.
The key exported by `ssh-add -L` works. I get asked for the PIN, the
Yubikey blinks, and then I’m in:
$ ssh user at example.com
[user at example ~]$
The key exported by `gpg --export-ssh-key yubikey at f76.eu` does not work:
$ ssh user at example.com
user at example.com: Permission denied (publickey).
As it works with the key exported with `ssh-add -L`, maybe I should not
complain. However what confuses me is that the output of `ssh-add -L`
does not change after I replaced the authentication subkey.
Can you explain why the output of `ssh-add -L` did not change? Also why
is it not the same as the output from `gpg --export-ssh-key
yubikey at f76.eu`?
(Background: I replaced the authentication subkey because the first time
I added it, I forgot to make a backup of the updated secret key.)
More information about the Gnupg-users
mailing list