Are GPG and SSH keys interchangable?
I know this is an old post, but for people like me stumbling over this:
It is now (since gpg 2.1) possible to simply extract ssh keys directly using gpg:
gpg --export-ssh-key <key id>!
.
The !
mark is optional, it makes the primary key exportable and omits checking whether the key is authentication-capable ([CA]).
Details:
- https://www.gnupg.org/faq/whats-new-in-2.1.html#sshexport
- https://lists.gnupg.org/pipermail/gnupg-devel/2016-January/030682.html
I'm doing some research about this topic and I can give you some hints, but I've not found a way to make it work yet.
Monkeysphere
Monkeysphere seems a very interesting project, but I've not been able to compile it under Mac OS X without clogging my little free disk space with MacPorts.
Using gpgkey2ssh
The first way I suggest you to try is to generate a compatible authorized_keys entry from your key id (e.g., BFB2E5E3) with
gpgkey2ssh BFB2E5E3 | tee -a ~/.ssh/authorized_keys
Here I added it to my localhost since I ran an ssh server for testing purposes, but of course you should add this to the target host ~/.ssh/authorized_keys
.
Next you need to tell SSH to use the private portion of this key during authentication, but simply exporting an ASCII armored version of the keypair doesn't work:
gpg --armor --export-secret-key BFB2E5E3! |tee ~/.ssh/id_rsa
gpg --armor --export BFB2E5E3! | tee ~/.ssh/id_rsa.pub
chmod 400 ~/.ssh/id_rsa
ssh localhost
Using gpg-agent
gpg-agent
has the option --enable-ssh-support
that allows it to use it as a drop-in replacement for the well known ssh-agent
.
I've read of some people trying to add via ssh-add
their GPG key after launching gpg-agent
this way:
gpg-agent --enable-ssh-support --daemon
gpg --armor --export-secret-key BFB2E5E3! | tee ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
ssh-add ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
But I don't think this will ever work. The gpg-agent manpage says:
SSH Keys, which are to be used through the agent, need to be added to the gpg-agent initially through the ssh-add utility. When a key is added, ssh-add will ask for the password of the provided key file and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory.
So it seems that gpg-agent
should be used as an additional measure to protect your SSH keys with a GPG encryption.
Converting a GPG key to OpenSSH
Jérôme Pouiller in his blog writes that the Gpgsm utility can export keys and certificates in PCSC12; they can then be used by OpenSSH:
gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
chmod 600 gpg-key.pem
cp gpg-key.pem ~/.ssh/id_rsa
ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub
But I haven't found a way to make gpgsm
accept my gpg keypairs.
Other things you can try
SSH has a -I
option to specify the PKCS#11 shared library ssh
should use to communicate with a PKCS#11 token providing the user's private RSA key.
ssh-keygen
can use RFC4716/SSH2 public or private key, PEM PKCS8 public keys, and PEM public keys to generate an OpenSSH compatible private (or public) key using the -i
and -m
options.
Still I can't find a way to put it all together.
No, they are not interchangeable. Yes, it is possible to use GPG keys for authentication – the Monkeysphere package has tools to extract the raw RSA keypair from your GPG certificate.
Your GPG certificate will need a subkey with the "authentication" capability flag. To create such a subkey, run once:
monkeysphere g
Now add your authentication subkeys to ssh-agent:
monkeysphere s
Somewhat relevant: this gnupg-users thread.