How to use gpg and SSH together?

ssh gnupg pgp

15,024

Solution 1

I'm doing some research about this topic and I can give you some hints, but I've not found a way to make it work yet.

Monkeysphere

Monkeysphere seems a very interesting project, but I've not been able to compile it under Mac OS X without clogging my little free disk space with MacPorts.

Using gpgkey2ssh

The first way I suggest you to try is to generate a compatible authorized_keys entry from your key id (e.g., BFB2E5E3) with:

gpgkey2ssh BFB2E5E3 | tee -a ~/.ssh/authorized_keys

Here I added it to my localhost since I ran an ssh server for testing purposes, but of course you should add this to the target host ~/.ssh/authorized_keys. Next you need to tell SSH to use the private portion of this key during authentication, but simply exporting an ASCII armored version of the keypair doesn't work:

gpg --armor --export-secret-key BFB2E5E3! |tee ~/.ssh/id_rsa
gpg --armor --export BFB2E5E3! | tee ~/.ssh/id_rsa.pub
chmod 400 ~/.ssh/id_rsa
ssh localhost

Using gpg-agent

gpg-agent has the option --enable-ssh-support that allows it to use it as a drop-in replacement for the well known ssh-agent. I've read of some people trying to add via ssh-add their GPG key after launching gpg-agent this way:

gpg-agent --enable-ssh-support --daemon
gpg --armor --export-secret-key BFB2E5E3! | tee ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
ssh-add ~/.gnupg/exported-keys/BFB2E5E3_sec.asc

But I don't think this will ever work. The gpg-agent manpage says:

SSH Keys, which are to be used through the agent, need to be added to the gpg-agent initially through the ssh-add utility. When a key is added, ssh-add will ask for the password of the provided key file and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory.

So it seems that gpg-agent should be used as an additional measure to protect your SSH keys with a GPG encryption.

Converting a GPG key to OpenSSH

Jérôme Pouiller in his blog writes that the Gpgsm utility can export keys and certificates in PCSC12; they can then be used by OpenSSH:

gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
chmod 600 gpg-key.pem
cp gpg-key.pem ~/.ssh/id_rsa
ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub

But I haven't found a way to make gpgsm accept my gpg keypairs.

Other things you can try

SSH has a -I option to specify the PKCS#11 shared library ssh should use to communicate with a PKCS#11 token providing the user's private RSA key. ssh-keygen can use RFC4716/SSH2 public or private key, PEM PKCS8 public keys, and PEM public keys to generate an OpenSSH compatible private (or public) key using the -i and -m options.

Still I can't find a way to put it all together.

Solution 2

Technically yes, PGP keys can be used for SSH authentication. What people call a "PGP key" is more of a certificate, containing ordinary RSA, ECDSA or other keypairs (the primary key and subkeys) along with the certificate's metadata. In fact, there's even an "authentication" usage flag defined.

It is not recommended to use the same key for multiple purposes, though; however, this is easily solved as you can easily add an authentication-only subkey to your PGP cert (via gpg --expert --edit-key). You'll have one signing/certification primary key, an encryption subkey, and an authentication subkey.

In practice though, I haven't been able to figure out how to authenticate using a PGP key directly, although I've just been too lazy to try out several ideas. The Monkeysphere suite has a tool to add your GPG authentication subkeys to ssh-agent, should be simple. But there should be a few older Super User posts on this.

15,024

qazwsx

Updated on September 18, 2022

Comments

qazwsx over 1 year

Possible Duplicate:
Are GPG and SSH keys interchangable?

How to use gpg and SSH together?

I know the basic procedures of 1) using gpg to encrypt and decrypt text files and 2) generating and using SSH keys to access remote servers without passwords.

I wonder if the two can be integrated. Are the two unrelated and should be separated in their day-to-day use?
qazwsx over 12 years

Thanks for the information. They are useful but not sufficient for answering my question. I still don't know how to integrate my PGP certificates and SSH keys.
user1686 over 12 years

From Monkeysphere docs; monkeysphere subkey-to-ssh-agent to load your key into the agent.
nhinkle over 12 years

For future reference, if you find two questions which are essentially identical, you can flag them as duplicates (using the flag link under the question), rather than posting the same answer twice. Thanks for the detailed response though!
Claudio Floreani over 12 years

Sorry I don't know about this feature. Thank you
larsks almost 11 years

I'm not sure what you're trying to accomplish with gpg --armor --export-secret-key BFB2E5E3! |tee ~/.ssh/id_rsa. Are you using tee just so you can see the output? The output of this command is not suitable for use by ssh-add; the generated id_rsa file cannot be loaded into either ssh-agent or gpg-agent, nor can it be used directly by ssh.
Vlastimil Ovčáčík almost 7 years

gpgkey2ssh has gone, --export-ssh-key is here.