How to use gpg and SSH together?
I'm doing some research about this topic and I can give you some hints, but I've not found a way to make it work yet.
Monkeysphere
Monkeysphere seems a very interesting project, but I've not been able to compile it under Mac OS X without clogging my little free disk space with MacPorts.
Using gpgkey2ssh
The first way I suggest you to try is to generate a compatible authorized_keys entry from your key id (e.g., BFB2E5E3) with:
gpgkey2ssh BFB2E5E3 | tee -a ~/.ssh/authorized_keys
Here I added it to my localhost since I ran an ssh server for testing purposes, but of course you should add this to the target host ~/.ssh/authorized_keys
.
Next you need to tell SSH to use the private portion of this key during authentication, but simply exporting an ASCII armored version of the keypair doesn't work:
gpg --armor --export-secret-key BFB2E5E3! |tee ~/.ssh/id_rsa
gpg --armor --export BFB2E5E3! | tee ~/.ssh/id_rsa.pub
chmod 400 ~/.ssh/id_rsa
ssh localhost
Using gpg-agent
gpg-agent
has the option --enable-ssh-support
that allows it to use it as a drop-in replacement for the well known ssh-agent
.
I've read of some people trying to add via ssh-add
their GPG key after launching gpg-agent
this way:
gpg-agent --enable-ssh-support --daemon
gpg --armor --export-secret-key BFB2E5E3! | tee ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
ssh-add ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
But I don't think this will ever work. The gpg-agent manpage says:
SSH Keys, which are to be used through the agent, need to be added to the gpg-agent initially through the ssh-add utility. When a key is added, ssh-add will ask for the password of the provided key file and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory.
So it seems that gpg-agent
should be used as an additional measure to protect your SSH keys with a GPG encryption.
Converting a GPG key to OpenSSH
Jérôme Pouiller in his blog writes that the Gpgsm utility can export keys and certificates in PCSC12; they can then be used by OpenSSH:
gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
chmod 600 gpg-key.pem
cp gpg-key.pem ~/.ssh/id_rsa
ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub
But I haven't found a way to make gpgsm
accept my gpg keypairs.
Other things you can try
SSH has a -I
option to specify the PKCS#11 shared library ssh
should use to communicate with a PKCS#11 token providing the user's private RSA key.
ssh-keygen
can use RFC4716/SSH2 public or private key, PEM PKCS8 public keys, and PEM public keys to generate an OpenSSH compatible private (or public) key using the -i
and -m
options.
Still I can't find a way to put it all together.
Technically yes, PGP keys can be used for SSH authentication. What people call a "PGP key" is more of a certificate, containing ordinary RSA, ECDSA or other keypairs (the primary key and subkeys) along with the certificate's metadata. In fact, there's even an "authentication" usage flag defined.
It is not recommended to use the same key for multiple purposes, though; however, this is easily solved as you can easily add an authentication-only subkey to your PGP cert (via gpg --expert --edit-key
). You'll have one signing/certification primary key, an encryption subkey, and an authentication subkey.
In practice though, I haven't been able to figure out how to authenticate using a PGP key directly, although I've just been too lazy to try out several ideas. The Monkeysphere suite has a tool to add your GPG authentication subkeys to ssh-agent, should be simple. But there should be a few older Super User posts on this.