How to use gpg and SSH together?
Solution 1
I'm doing some research about this topic and I can give you some hints, but I've not found a way to make it work yet.
Monkeysphere
Monkeysphere seems a very interesting project, but I've not been able to compile it under Mac OS X without clogging my little free disk space with MacPorts.
Using gpgkey2ssh
The first way I suggest you to try is to generate a compatible authorized_keys entry from your key id (e.g., BFB2E5E3) with:
gpgkey2ssh BFB2E5E3 | tee -a ~/.ssh/authorized_keys
Here I added it to my localhost since I ran an ssh server for testing purposes, but of course you should add this to the target host ~/.ssh/authorized_keys
.
Next you need to tell SSH to use the private portion of this key during authentication, but simply exporting an ASCII armored version of the keypair doesn't work:
gpg --armor --export-secret-key BFB2E5E3! |tee ~/.ssh/id_rsa
gpg --armor --export BFB2E5E3! | tee ~/.ssh/id_rsa.pub
chmod 400 ~/.ssh/id_rsa
ssh localhost
Using gpg-agent
gpg-agent
has the option --enable-ssh-support
that allows it to use it as a drop-in replacement for the well known ssh-agent
.
I've read of some people trying to add via ssh-add
their GPG key after launching gpg-agent
this way:
gpg-agent --enable-ssh-support --daemon
gpg --armor --export-secret-key BFB2E5E3! | tee ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
ssh-add ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
But I don't think this will ever work. The gpg-agent manpage says:
SSH Keys, which are to be used through the agent, need to be added to the gpg-agent initially through the ssh-add utility. When a key is added, ssh-add will ask for the password of the provided key file and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory.
So it seems that gpg-agent
should be used as an additional measure to protect your SSH keys with a GPG encryption.
Converting a GPG key to OpenSSH
Jérôme Pouiller in his blog writes that the Gpgsm utility can export keys and certificates in PCSC12; they can then be used by OpenSSH:
gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
chmod 600 gpg-key.pem
cp gpg-key.pem ~/.ssh/id_rsa
ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub
But I haven't found a way to make gpgsm
accept my gpg keypairs.
Other things you can try
SSH has a -I
option to specify the PKCS#11 shared library ssh
should use to communicate with a PKCS#11 token providing the user's private RSA key.
ssh-keygen
can use RFC4716/SSH2 public or private key, PEM PKCS8 public keys, and PEM public keys to generate an OpenSSH compatible private (or public) key using the -i
and -m
options.
Still I can't find a way to put it all together.
Solution 2
Technically yes, PGP keys can be used for SSH authentication. What people call a "PGP key" is more of a certificate, containing ordinary RSA, ECDSA or other keypairs (the primary key and subkeys) along with the certificate's metadata. In fact, there's even an "authentication" usage flag defined.
It is not recommended to use the same key for multiple purposes, though; however, this is easily solved as you can easily add an authentication-only subkey to your PGP cert (via gpg --expert --edit-key
). You'll have one signing/certification primary key, an encryption subkey, and an authentication subkey.
In practice though, I haven't been able to figure out how to authenticate using a PGP key directly, although I've just been too lazy to try out several ideas. The Monkeysphere suite has a tool to add your GPG authentication subkeys to ssh-agent, should be simple. But there should be a few older Super User posts on this.
Related videos on Youtube
qazwsx
Updated on September 18, 2022Comments
-
qazwsx over 1 year
Possible Duplicate:
Are GPG and SSH keys interchangable?How to use gpg and SSH together?
I know the basic procedures of 1) using gpg to encrypt and decrypt text files and 2) generating and using SSH keys to access remote servers without passwords.
I wonder if the two can be integrated. Are the two unrelated and should be separated in their day-to-day use?
-
qazwsx over 12 yearsThanks for the information. They are useful but not sufficient for answering my question. I still don't know how to integrate my PGP certificates and SSH keys.
-
user1686 over 12 yearsFrom Monkeysphere docs;
monkeysphere subkey-to-ssh-agent
to load your key into the agent. -
nhinkle over 12 yearsFor future reference, if you find two questions which are essentially identical, you can flag them as duplicates (using the
flag
link under the question), rather than posting the same answer twice. Thanks for the detailed response though! -
Claudio Floreani over 12 yearsSorry I don't know about this feature. Thank you
-
larsks almost 11 yearsI'm not sure what you're trying to accomplish with
gpg --armor --export-secret-key BFB2E5E3! |tee ~/.ssh/id_rsa
. Are you usingtee
just so you can see the output? The output of this command is not suitable for use byssh-add
; the generatedid_rsa
file cannot be loaded into eitherssh-agent
orgpg-agent
, nor can it be used directly byssh
. -
Vlastimil Ovčáčík almost 7 years