Using OpenPGP keyserver (or WoT) to distribute SSH Key

NIIBE Yutaka gniibe at fsij.org
Thu Jun 5 06:58:50 CEST 2014


Hello,

I'm using the SSH-agent feature of GPG-agent to authenticate my
OpenSSH access daily.

For smartcard/token users or users of GnuPG development branch, it
might be standard practice already.

For non smartcard/token users, it is possible to use the feature,
once using monkysphere to (generate authentication subkey and) put
it under control of the SSH-agent feature of GPG-agent.

I think that this is useful feature for everyone.  Since some people
are not convinced, I wrote a tool to cover other users who already
have SSH RSA keys and want to stick with them.  Attached is a tool
which add OpenPGP authentication subkey (you need other *.py from
Gnuk distribution to use this script).

Here's how to use this tool to convert your existing SSH RSA keys.


(1) Prepare your desktop environment for GPG-agent as ssh-agent

Enable ssh-support of GPG-agent and let it serve as SSH agent.
Please see [0] for how to do that in Debian Wheezy.


(2) Convert your SSH secret key into GnuPG.

Check you're using ssh-agent feature of GPG-agent.  You should have
an environment variable like:

   SSH_AUTH_SOCK=/home/$USER/.gnupg/S.gpg-agent.ssh

Then, invoke ssh-add command:

   $ ssh-add $HOME/.ssh/id_rsa

You will be asked two pass phrases, one to decrypt SSH private key,
another to encrypt this key under GnuPG.

Your private key is now under $HOME/.gnupg/private-keys-v1.d
directory.


(3) Export your GPG key

  $ gpg --export-options export-minimal --export YOUR_ID >/tmp/mykey.gpg


(4) Attach authentication key to your (exported) GPG key

  $ python add_openpgp_authkey_from_gpgssh.py /tmp/mykey.gpg 

You will be asked a pass phrase for signing your subkey.


(5) Import your key

  $ gpg --import /tmp/mykey.gpg

Now, your OpenPGP keyring has your key with authentication subkey.
You can upload your public key with authentication subkey attached to
keyserver.  Then, when your friend wants to give SSH access to you
(given the situation he has validated your OpenPGP key already), he
can do:

  $ gpg --refresh-key   # to get your updated key
  $ gpgkey2ssh YOUR_ID | sed -e s/COMMENT/YOUR_MAIL_ADDRESS/ >> ~your_username/.ssh/authorized_key

Well, I know that the tool gpgkey2ssh is just for debugging purpose.
I just want to show OpenPGP keyserver is useful.

I maintain this tool in Gnuk, under tool/ directory.

[0] http://www.gniibe.org/memo/software/ssh/ssh-gpg.html#use-gpg-agent-for-ssh-agent-service
-- 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: add_openpgp_authkey_from_gpgssh.py
Type: text/x-python
Size: 6971 bytes
Desc: not available
URL: </pipermail/attachments/20140605/cd29ddba/attachment.py>


More information about the Gnupg-devel mailing list