I use a 4096 byte RSA PGP key; since SSH also uses the RSA standard, is it at all possible to use the PGP key as an SSH key without installing additional software on the server (and as little as possible on the client)?
Asked
Active
Viewed 1.9k times
5 Answers
14
There are several ways, which may or may not work:
- MonkeySphere
- openssh-gpg, a patch for OpenSSH
- SSH.com has built-in support
gpg2on Debian comes with agpgkey2sshtool, andgpg-agentcan act as a ssh agent too, but I couldn't figure out how to actually make ssh use the key for authentication.
user1686
- 8,717
- 25
- 38
4
With the information from the answers on this question and the help of the gnupg-users mailinglist I was able to figure out how to use my GPG key for SSH authentication. There are a few possible methods to do this.
I have written a blogpost about some possible solutions: http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
To summarize: Either you use GnuPG 2.1, which is currently in beta. When using this version, you can simply start gpg-agent with the --enable-ssh-support option and add the keygrip for you GPG key (or subkey) into ~/.gnupg/sshcontrol.
When you are using the current stable GnuPG version (2.0.x) you can use monkeysphere to add your key to gpg-agent (again, after starting gpg-agent with the --enable-ssh-support option).
It is also possible to use GNOME keyring (or even the regular ssh-agent) with the help of monkeysphere. The only problem in this case is that you will have to re-add your key when logging on again (into Gnome or XFCE). To solve this you can manually export your key and convert it.
jeroen
- 141
- 3
2
This document shows how to do it on the SSH.com client; I am not sure that it works on OpenSSH but it might be worth a shot.
0
Export private SSH key from GPG without additional software installation
Find a keygrip of desired private key
gpg --list-secret-keys --with-keygrip
Import it into a new temporary gpgsm keyring
gpgsm --gen-key -o /tmp/keyring
2 #select existing key
keygrip_id
3 #key purpose encryption, this is probably irrelevant
C=dummy, ST=dummy, L=dummy, O=dummy, OU=dummy, CN=dummy #Enter dummy X.509 subject name
nonexistent@dummy.com #email as well
The rest of the options are optional so just Enter through them, confirm the information, and enter the decryption password of key selected.
Convert the key to pkcs12 format
gpgsm -o /tmp/key.p12 --export-secret-key-p12 '&keygrip_id'
Enter again the encryption password as before to decrypt it. Then enter new password which should be used to protect .p12 file. If your /tmp folder resides on RAM like mine, you can leave it blank as it will be safely wiped after reboot.
Convert it to ssh friendly format
In addition it requires stripping first 4 lines of the output, so that it starts with ---BEGIN PRIVATE KEY---
openssl pkcs12 -in /tmp/key.p12 -nodes -nocerts | tail -n +5 > /tmp/sshkey
chmod 600 /tmp/sshkey
There you have your sshkey ready to use by ssh client. Hope this helps, for me it was neccesary as I was not able to install monkeysphere.
