How to use gpg and SSH together? [duplicate]

Possible Duplicate:
Are GPG and SSH keys interchangable?

How to use gpg and SSH together?

I know the basic procedures of 1) using gpg to encrypt and decrypt text files and 2) generating and using SSH keys to access remote servers without passwords.

I wonder if the two can be integrated. Are the two unrelated and should be separated in their day-to-day use?


I'm doing some research about this topic and I can give you some hints, but I've not found a way to make it work yet.

Monkeysphere

Monkeysphere seems a very interesting project, but I've not been able to compile it under Mac OS X without clogging my little free disk space with MacPorts.

Using gpgkey2ssh

The first way I suggest you to try is to generate a compatible authorized_keys entry from your key id (e.g., BFB2E5E3) with:

gpgkey2ssh BFB2E5E3 | tee -a ~/.ssh/authorized_keys

Here I added it to my localhost since I ran an ssh server for testing purposes, but of course you should add this to the target host ~/.ssh/authorized_keys. Next you need to tell SSH to use the private portion of this key during authentication, but simply exporting an ASCII armored version of the keypair doesn't work:

gpg --armor --export-secret-key BFB2E5E3! |tee ~/.ssh/id_rsa
gpg --armor --export BFB2E5E3! | tee ~/.ssh/id_rsa.pub
chmod 400 ~/.ssh/id_rsa
ssh localhost

Using gpg-agent

gpg-agent has the option --enable-ssh-support that allows it to use it as a drop-in replacement for the well known ssh-agent. I've read of some people trying to add via ssh-add their GPG key after launching gpg-agent this way:

gpg-agent --enable-ssh-support --daemon
gpg --armor --export-secret-key BFB2E5E3! | tee ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
ssh-add ~/.gnupg/exported-keys/BFB2E5E3_sec.asc

But I don't think this will ever work. The gpg-agent manpage says:

SSH Keys, which are to be used through the agent, need to be added to the gpg-agent initially through the ssh-add utility.  When a key is added, ssh-add will ask for the password of the provided key file and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory.

So it seems that gpg-agent should be used as an additional measure to protect your SSH keys with a GPG encryption.

Converting a GPG key to OpenSSH

Jérôme Pouiller in his blog writes that the Gpgsm utility can export keys and certificates in PCSC12; they can then be used by OpenSSH:

gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
chmod 600 gpg-key.pem
cp gpg-key.pem ~/.ssh/id_rsa
ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub

But I haven't found a way to make gpgsm accept my gpg keypairs.

Other things you can try

SSH has a -I option to specify the PKCS#11 shared library ssh should use to communicate with a PKCS#11 token providing the user's private RSA key. ssh-keygen can use RFC4716/SSH2 public or private key, PEM PKCS8 public keys, and PEM public keys to generate an OpenSSH compatible private (or public) key using the -i and -m options.

Still I can't find a way to put it all together.


Technically yes, PGP keys can be used for SSH authentication. What people call a "PGP key" is more of a certificate, containing ordinary RSA, ECDSA or other keypairs (the primary key and subkeys) along with the certificate's metadata. In fact, there's even an "authentication" usage flag defined.

It is not recommended to use the same key for multiple purposes, though; however, this is easily solved as you can easily add an authentication-only subkey to your PGP cert (via gpg --expert --edit-key). You'll have one signing/certification primary key, an encryption subkey, and an authentication subkey.

In practice though, I haven't been able to figure out how to authenticate using a PGP key directly, although I've just been too lazy to try out several ideas. The Monkeysphere suite has a tool to add your GPG authentication subkeys to ssh-agent, should be simple. But there should be a few older Super User posts on this.