gpgkey2ssh
Werner Koch
wk at gnupg.org
Fri Oct 22 10:02:55 CEST 2010
On Fri, 22 Oct 2010 03:58, aaron.toponce at gmail.com said:
> First, there is _ZERO_ documentation for this binary. No manual, no info
> page, nothing under /usr/share/doc/, segfaults pasing "-h" or "--help".
Ah well, it should be removed from the package. It used to be a kind of
debug tool but I never used it in all these years. The plan was to
replace it with a special export option:
gpg2 --export-options export-sexp-format --export-secret-key KEYID
but that has never been fully implemented. The forthcoming GnuPG 2.1
makes it obsolete.
> of me. Correct me if I'm wrong, but I should be able to add this
> identity to the running SSH agent through "ssh-add", no? Here's the
No. It the other way around.
The whole point of the ssh support is to replace ssh-agent: gpg-agent if
started with the option --enable-ssh-support implements the
ssh-agent-protocol and thus works with ssh and ssh-add.
With a running gpg-agent you can do
ssh-add
and gpg-agent imports the key into its own private key database. After
you have done that you may remove the private keys from .ssh/. IF you
later run
ssh-add -l
it will show you the ssh keys gpg-agent knows about. To better control
this you may use the ~/.gnupg/sshcontrol file:
`sshcontrol'
This file is used when support for the secure shell agent protocol
has been enabled (*note option --enable-ssh-support::). Only keys
present in this file are used in the SSH protocol. You should
backup this file.
The `ssh-add' tool may be used to add new entries to this file;
you may also add them manually. Comment lines, indicated by a
leading hash mark, as well as empty lines are ignored. An entry
starts with optional whitespace, followed by the keygrip of the
key given as 40 hex digits, optionally followed by the caching TTL
in seconds and another optional field for arbitrary flags. A
non-zero TTL overrides the global default as set by
`--default-cache-ttl-ssh'.
The keygrip may be prefixed with a `!' to disable an entry entry.
The following example lists exactly one key. Note that keys
available through a OpenPGP smartcard in the active smartcard
reader are implicitly added to this list; i.e. there is no need to
list them.
# Key added on 2005-02-25 15:08:29
5A6592BF45DC73BD876874A28FD4639282E29B52 0
If you want to use an existing gpg key with ssh you need a way to put it
into gpg-agent. If you use smartcards then there is no need for this
because gpg-agent does that of its own. *GnuPG 2.1* will make it really
easy to use an existing key for ssh:
$ gpg2 --with-keygrip -K CD8687F6
sec 1024D/CD8687F6 2006-01-17
Keygrip = 21EB68B1FFA01EF777E2D0B1A92A2276D82C2F1C
uid Heinrich Heine <heinrichh at duesseldorf.de>
ssb 1024g/4ECFEF6F 2006-01-17
Keygrip = 654EFA6F19DF08ABFEB88092BC4867D4C5A95460
Now you only need to put a line
21EB68B1FFA01EF777E2D0B1A92A2276D82C2F1C 0
into sshcontrol and gpg-agent offers the primary key CD8687F6 to ssh if
it asks for a list private key (check with ssh-add -l).
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list