GPG key to authenticate to SSH?

Werner Koch wk at gnupg.org
Wed Jul 25 21:19:08 CEST 2012


On Wed, 25 Jul 2012 19:12, dkg at fifthhorseman.net said:

> reading sshcontrol's documentation in the texi doc, it occurs to me that
> this indication of which key should be used for ssh should in many use
> cases be visible to ssh servers as well.  If for some reason the
> authentication-capable flag isn't sufficient to indicate this, perhaps

The thing here is that gpg-agent is protocol agnostic.  It does not know
about OpenPGP or X.509.  It merely manages the raw key material.  There
is no capability flag at all.  Agreed, there should be one so that you
won't accidentally use an encryption key for signing etc.  However it
can't be enforced and thus I neglected to implement it.

So you may put any key from privates-keys-v1.d into sshcontrol and it
will work as ssh key as long as some basic properties are okay.
sshcontrol is used as a filter to present only those keys to ssh which
are listed in it.

With capability flags in private-keys-v1.d we could add a wildcard entry
into sshcontrol and automagically use all keys flaged as "authenticate"
or "use-for-ssh".  However, I am not sure whether this is a good idea,
given that ssh iterates over all available keys and thus it may take
some time to setup a conenction in case you have too many ssh capable
keys available in gpg-agent.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list