72
31
I want to generate an RSA
key in GPG
and use it in SSH
login. Is this even possible? If so, how?
edit: see @wwerner's answer, I didn't try it but it seems to be the current solution (as of 2018)
72
31
I want to generate an RSA
key in GPG
and use it in SSH
login. Is this even possible? If so, how?
edit: see @wwerner's answer, I didn't try it but it seems to be the current solution (as of 2018)
27
I know this is an old post, but for people like me stumbling over this:
It is now (since gpg 2.1) possible to simply extract ssh keys directly using gpg:
gpg --export-ssh-key <key id>!
.
The !
mark is optional, it makes the primary key exportable and omits checking whether the key is authentication-capable ([CA]).
Details:
30
I'm doing some research about this topic and I can give you some hints, but I've not found a way to make it work yet.
Monkeysphere seems a very interesting project, but I've not been able to compile it under Mac OS X without clogging my little free disk space with MacPorts.
The first way I suggest you to try is to generate a compatible authorized_keys entry from your key id (e.g., BFB2E5E3) with
gpgkey2ssh BFB2E5E3 | tee -a ~/.ssh/authorized_keys
Here I added it to my localhost since I ran an ssh server for testing purposes, but of course you should add this to the target host ~/.ssh/authorized_keys
.
Next you need to tell SSH to use the private portion of this key during authentication, but simply exporting an ASCII armored version of the keypair doesn't work:
gpg --armor --export-secret-key BFB2E5E3! |tee ~/.ssh/id_rsa
gpg --armor --export BFB2E5E3! | tee ~/.ssh/id_rsa.pub
chmod 400 ~/.ssh/id_rsa
ssh localhost
gpg-agent
has the option --enable-ssh-support
that allows it to use it as a drop-in replacement for the well known ssh-agent
.
I've read of some people trying to add via ssh-add
their GPG key after launching gpg-agent
this way:
gpg-agent --enable-ssh-support --daemon
gpg --armor --export-secret-key BFB2E5E3! | tee ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
ssh-add ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
But I don't think this will ever work. The gpg-agent manpage says:
SSH Keys, which are to be used through the agent, need to be added to the gpg-agent initially through the ssh-add utility. When a key is added, ssh-add will ask for the password of the provided key file and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory.
So it seems that gpg-agent
should be used as an additional measure to protect your SSH keys with a GPG encryption.
Jérôme Pouiller in his blog writes that the Gpgsm utility can export keys and certificates in PCSC12; they can then be used by OpenSSH:
gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
chmod 600 gpg-key.pem
cp gpg-key.pem ~/.ssh/id_rsa
ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub
But I haven't found a way to make gpgsm
accept my gpg keypairs.
SSH has a -I
option to specify the PKCS#11 shared library ssh
should use to communicate with a PKCS#11 token providing the user's private RSA key.
ssh-keygen
can use RFC4716/SSH2 public or private key, PEM PKCS8 public keys, and PEM public keys to generate an OpenSSH compatible private (or public) key using the -i
and -m
options.
Still I can't find a way to put it all together.
5Note that gpgkey2ssh
has been replaced by --export-ssh-key
as of version 2.1.11 (2016-01-26). It took me a while to realize this. Usage is gpg --export-ssh-key BFB2E5E3
. – MayeulC – 2017-05-17T19:29:15.057
1gpgkey2ssh has gone, --export-ssh-key is here. – Vlastimil Ovčáčík – 2017-06-28T16:14:08.607
There is a good post on Linode but they used gpg-agent to authenticate with SSH. They don't convert the gpg secret key to a SSH private key.
– Xorax – 2017-08-29T23:25:54.39714
No, they are not interchangeable. Yes, it is possible to use GPG keys for authentication – the Monkeysphere package has tools to extract the raw RSA keypair from your GPG certificate.
Your GPG certificate will need a subkey with the "authentication" capability flag. To create such a subkey, run once:
monkeysphere g
Now add your authentication subkeys to ssh-agent:
monkeysphere s
Somewhat relevant: this gnupg-users thread.
9
With the information from the answers on this question and the help of the gnupg-users mailinglist I was able to figure out how to use my GPG key for SSH authentication. As already mentioned by Claudio Floreani in his answer, there are a few possible methods to do this.
I have written a blogpost about some possible solutions: http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
To summarize: Either you use GnuPG 2.1, which is currently in beta. When using this version, you can simply start gpg-agent with the --enable-ssh-support option and add the keygrip for you GPG key (or subkey) into ~/.gnupg/sshcontrol.
When you are using the current stable GnuPG version (2.0.x) you can use monkeysphere to add your key to gpg-agent (again, after starting gpg-agent with the --enable-ssh-support option).
It is also possible to use GNOME keyring (or even the regular ssh-agent) with the help of monkeysphere. The only problem in this case is that you will have to re-add your key when logging on again (into Gnome or XFCE). To solve this you can manually export your key and convert it.
This answer should be the accepted one. :) – Inkeliz – 2018-08-31T11:27:54.707