Are GPG and SSH keys interchangable?

I know this is an old post, but for people like me stumbling over this:

It is now (since gpg 2.1) possible to simply extract ssh keys directly using gpg: gpg --export-ssh-key <key id>!.

The ! mark is optional, it makes the primary key exportable and omits checking whether the key is authentication-capable ([CA]).

Details:

  • https://www.gnupg.org/faq/whats-new-in-2.1.html#sshexport
  • https://lists.gnupg.org/pipermail/gnupg-devel/2016-January/030682.html

I'm doing some research about this topic and I can give you some hints, but I've not found a way to make it work yet.

Monkeysphere

Monkeysphere seems a very interesting project, but I've not been able to compile it under Mac OS X without clogging my little free disk space with MacPorts.

Using gpgkey2ssh

The first way I suggest you to try is to generate a compatible authorized_keys entry from your key id (e.g., BFB2E5E3) with

gpgkey2ssh BFB2E5E3 | tee -a ~/.ssh/authorized_keys

Here I added it to my localhost since I ran an ssh server for testing purposes, but of course you should add this to the target host ~/.ssh/authorized_keys. Next you need to tell SSH to use the private portion of this key during authentication, but simply exporting an ASCII armored version of the keypair doesn't work:

gpg --armor --export-secret-key BFB2E5E3! |tee ~/.ssh/id_rsa
gpg --armor --export BFB2E5E3! | tee ~/.ssh/id_rsa.pub
chmod 400 ~/.ssh/id_rsa
ssh localhost

Using gpg-agent

gpg-agent has the option --enable-ssh-support that allows it to use it as a drop-in replacement for the well known ssh-agent. I've read of some people trying to add via ssh-add their GPG key after launching gpg-agent this way:

gpg-agent --enable-ssh-support --daemon
gpg --armor --export-secret-key BFB2E5E3! | tee ~/.gnupg/exported-keys/BFB2E5E3_sec.asc
ssh-add ~/.gnupg/exported-keys/BFB2E5E3_sec.asc

But I don't think this will ever work. The gpg-agent manpage says:

SSH Keys, which are to be used through the agent, need to be added to the gpg-agent initially through the ssh-add utility.  When a key is added, ssh-add will ask for the password of the provided key file and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory.

So it seems that gpg-agent should be used as an additional measure to protect your SSH keys with a GPG encryption.

Converting a GPG key to OpenSSH

Jérôme Pouiller in his blog writes that the Gpgsm utility can export keys and certificates in PCSC12; they can then be used by OpenSSH:

gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
chmod 600 gpg-key.pem
cp gpg-key.pem ~/.ssh/id_rsa
ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub

But I haven't found a way to make gpgsm accept my gpg keypairs.

Other things you can try

SSH has a -I option to specify the PKCS#11 shared library ssh should use to communicate with a PKCS#11 token providing the user's private RSA key. ssh-keygen can use RFC4716/SSH2 public or private key, PEM PKCS8 public keys, and PEM public keys to generate an OpenSSH compatible private (or public) key using the -i and -m options.

Still I can't find a way to put it all together.


No, they are not interchangeable. Yes, it is possible to use GPG keys for authentication – the Monkeysphere package has tools to extract the raw RSA keypair from your GPG certificate.

  1. Your GPG certificate will need a subkey with the "authentication" capability flag. To create such a subkey, run once:

    monkeysphere g
    
  2. Now add your authentication subkeys to ssh-agent:

    monkeysphere s
    

Somewhat relevant: this gnupg-users thread.