Are GPG and SSH keys interchangable?

72

31

I want to generate an RSA key in GPG and use it in SSH login. Is this even possible? If so, how?

edit: see @wwerner's answer, I didn't try it but it seems to be the current solution (as of 2018)

destan

Posted 2011-11-23T00:03:34.583

Reputation: 867

Answers

27

I know this is an old post, but for people like me stumbling over this:

It is now (since gpg 2.1) possible to simply extract ssh keys directly using gpg: gpg --export-ssh-key <key id>!.

The ! mark is optional, it makes the primary key exportable and omits checking whether the key is authentication-capable ([CA]).

Details:

wwerner

Posted 2011-11-23T00:03:34.583

Reputation: 385

This answer should be the accepted one. :) – Inkeliz – 2018-08-31T11:27:54.707

30

I'm doing some research about this topic and I can give you some hints, but I've not found a way to make it work yet.

Monkeysphere

Monkeysphere seems a very interesting project, but I've not been able to compile it under Mac OS X without clogging my little free disk space with MacPorts.

Using gpgkey2ssh

The first way I suggest you to try is to generate a compatible authorized_keys entry from your key id (e.g., BFB2E5E3) with

gpgkey2ssh BFB2E5E3 | tee -a ~/.ssh/authorized_keys

Here I added it to my localhost since I ran an ssh server for testing purposes, but of course you should add this to the target host ~/.ssh/authorized_keys. Next you need to tell SSH to use the private portion of this key during authentication, but simply exporting an ASCII armored version of the keypair doesn't work:

gpg --armor --export-secret-key BFB2E5E3! |tee ~/.ssh/id_rsa
gpg --armor --export BFB2E5E3! | tee ~/.ssh/id_rsa.pub
chmod 400 ~/.ssh/id_rsa
ssh localhost

Using gpg-agent

gpg-agent has the option --enable-ssh-support that allows it to use it as a drop-in replacement for the well known ssh-agent. I've read of some people trying to add via ssh-add their GPG key after launching gpg-agent this way:

gpg-agent --enable-ssh-support --daemon
gpg --armor --export-secret-key BFB2E5E3! | tee ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
ssh-add ~/.gnupg/exported-keys/BFB2E5E3_sec.asc

But I don't think this will ever work. The gpg-agent manpage says:

SSH Keys, which are to be used through the agent, need to be added to the gpg-agent initially through the ssh-add utility.  When a key is added, ssh-add will ask for the password of the provided key file and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory.

So it seems that gpg-agent should be used as an additional measure to protect your SSH keys with a GPG encryption.

Converting a GPG key to OpenSSH

Jérôme Pouiller in his blog writes that the Gpgsm utility can export keys and certificates in PCSC12; they can then be used by OpenSSH:

gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
chmod 600 gpg-key.pem
cp gpg-key.pem ~/.ssh/id_rsa
ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub

But I haven't found a way to make gpgsm accept my gpg keypairs.

Other things you can try

SSH has a -I option to specify the PKCS#11 shared library ssh should use to communicate with a PKCS#11 token providing the user's private RSA key. ssh-keygen can use RFC4716/SSH2 public or private key, PEM PKCS8 public keys, and PEM public keys to generate an OpenSSH compatible private (or public) key using the -i and -m options.

Still I can't find a way to put it all together.

Claudio Floreani

Posted 2011-11-23T00:03:34.583

Reputation: 682

5Note that gpgkey2ssh has been replaced by --export-ssh-key as of version 2.1.11 (2016-01-26). It took me a while to realize this. Usage is gpg --export-ssh-key BFB2E5E3. – MayeulC – 2017-05-17T19:29:15.057

1gpgkey2ssh has gone, --export-ssh-key is here. – Vlastimil Ovčáčík – 2017-06-28T16:14:08.607

There is a good post on Linode but they used gpg-agent to authenticate with SSH. They don't convert the gpg secret key to a SSH private key.

– Xorax – 2017-08-29T23:25:54.397

14

No, they are not interchangeable. Yes, it is possible to use GPG keys for authentication – the Monkeysphere package has tools to extract the raw RSA keypair from your GPG certificate.

  1. Your GPG certificate will need a subkey with the "authentication" capability flag. To create such a subkey, run once:

    monkeysphere g
    
  2. Now add your authentication subkeys to ssh-agent:

    monkeysphere s
    

Somewhat relevant: this gnupg-users thread.

user1686

Posted 2011-11-23T00:03:34.583

Reputation: 283 655

9

With the information from the answers on this question and the help of the gnupg-users mailinglist I was able to figure out how to use my GPG key for SSH authentication. As already mentioned by Claudio Floreani in his answer, there are a few possible methods to do this.

I have written a blogpost about some possible solutions: http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key

To summarize: Either you use GnuPG 2.1, which is currently in beta. When using this version, you can simply start gpg-agent with the --enable-ssh-support option and add the keygrip for you GPG key (or subkey) into ~/.gnupg/sshcontrol.

When you are using the current stable GnuPG version (2.0.x) you can use monkeysphere to add your key to gpg-agent (again, after starting gpg-agent with the --enable-ssh-support option).

It is also possible to use GNOME keyring (or even the regular ssh-agent) with the help of monkeysphere. The only problem in this case is that you will have to re-add your key when logging on again (into Gnome or XFCE). To solve this you can manually export your key and convert it.

jeroen

Posted 2011-11-23T00:03:34.583

Reputation: 435