11
6
Possible Duplicate:
Are GPG and SSH keys interchangable?
How to use gpg and SSH together?
I know the basic procedures of 1) using gpg to encrypt and decrypt text files and 2) generating and using SSH keys to access remote servers without passwords.
I wonder if the two can be integrated. Are the two unrelated and should be separated in their day-to-day use?
qazwsx
Posted 2012-01-16T03:54:28.057
Reputation: 6 739
7
I'm doing some research about this topic and I can give you some hints, but I've not found a way to make it work yet.
Monkeysphere seems a very interesting project, but I've not been able to compile it under Mac OS X without clogging my little free disk space with MacPorts.
The first way I suggest you to try is to generate a compatible authorized_keys entry from your key id (e.g., BFB2E5E3) with:
gpgkey2ssh BFB2E5E3 | tee -a ~/.ssh/authorized_keys
Here I added it to my localhost since I ran an ssh server for testing purposes, but of course you should add this to the target host ~/.ssh/authorized_keys.
Next you need to tell SSH to use the private portion of this key during authentication, but simply exporting an ASCII armored version of the keypair doesn't work:
gpg --armor --export-secret-key BFB2E5E3! |tee ~/.ssh/id_rsa
gpg --armor --export BFB2E5E3! | tee ~/.ssh/id_rsa.pub
chmod 400 ~/.ssh/id_rsa
ssh localhost
gpg-agent has the option --enable-ssh-support that allows it to use it as a drop-in replacement for the well known ssh-agent.
I've read of some people trying to add via ssh-add their GPG key after launching gpg-agent this way:
gpg-agent --enable-ssh-support --daemon
gpg --armor --export-secret-key BFB2E5E3! | tee ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
ssh-add ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
But I don't think this will ever work. The gpg-agent manpage says:
SSH Keys, which are to be used through the agent, need to be added to the gpg-agent initially through the ssh-add utility. When a key is added, ssh-add will ask for the password of the provided key file and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory.
So it seems that gpg-agent should be used as an additional measure to protect your SSH keys with a GPG encryption.
Jérôme Pouiller in his blog writes that the Gpgsm utility can export keys and certificates in PCSC12; they can then be used by OpenSSH:
gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
chmod 600 gpg-key.pem
cp gpg-key.pem ~/.ssh/id_rsa
ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub
But I haven't found a way to make gpgsm accept my gpg keypairs.
SSH has a -I option to specify the PKCS#11 shared library ssh should use to communicate with a PKCS#11 token providing the user's private RSA key.
ssh-keygen can use RFC4716/SSH2 public or private key, PEM PKCS8 public keys, and PEM public keys to generate an OpenSSH compatible private (or public) key using the -i and -m options.
Still I can't find a way to put it all together.
Claudio Floreani
Posted 2012-01-16T03:54:28.057
Reputation: 682
2
Technically yes, PGP keys can be used for SSH authentication. What people call a "PGP key" is more of a certificate, containing ordinary RSA, ECDSA or other keypairs (the primary key and subkeys) along with the certificate's metadata. In fact, there's even an "authentication" usage flag defined.
It is not recommended to use the same key for multiple purposes, though; however, this is easily solved as you can easily add an authentication-only subkey to your PGP cert (via gpg --expert --edit-key). You'll have one signing/certification primary key, an encryption subkey, and an authentication subkey.
In practice though, I haven't been able to figure out how to authenticate using a PGP key directly, although I've just been too lazy to try out several ideas. The Monkeysphere suite has a tool to add your GPG authentication subkeys to ssh-agent, should be simple. But there should be a few older Super User posts on this.
user1686
Posted 2012-01-16T03:54:28.057
Reputation: 283 655
Thanks for the information. They are useful but not sufficient for answering my question. I still don't know how to integrate my PGP certificates and SSH keys. – qazwsx – 2012-01-16T22:10:05.903
From Monkeysphere docs; monkeysphere subkey-to-ssh-agent to load your key into the agent. – user1686 – 2012-01-16T22:29:38.400
gpgkey2ssh has gone, --export-ssh-key is here. – Vlastimil Ovčáčík – 2017-06-28T16:12:47.103
1For future reference, if you find two questions which are essentially identical, you can flag them as duplicates (using the
flaglink under the question), rather than posting the same answer twice. Thanks for the detailed response though! – nhinkle – 2012-02-15T17:23:37.630Sorry I don't know about this feature. Thank you – Claudio Floreani – 2012-02-16T16:33:01.263
2I'm not sure what you're trying to accomplish with
gpg --armor --export-secret-key BFB2E5E3! |tee ~/.ssh/id_rsa. Are you usingteejust so you can see the output? The output of this command is not suitable for use byssh-add; the generatedid_rsafile cannot be loaded into eitherssh-agentorgpg-agent, nor can it be used directly byssh. – larsks – 2013-06-26T16:48:42.473