Import my SSH key as GPG sub-key to use for SSH authentication
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
I recently created a PGP key to sign my commits and it's working properly. I also discovered that gpg integrates better with my O.S. (Kubuntu) than ssh-agent.
I'm lazy and would like to avoid having to replace my SSH key in all the various servers I've access to.
Is there any option for me to import my existing SSH key as a subkey of my PGP key and then run gpg agent with ssh-agent support so that when I run ssh something
it uses my subkey and uses gpg agent to ask for the passphrase?
Ideally I supply the passhprase only once, for my main PGP key and then whenever I commit or login through ssh, it uses the right one.
Is it possible? (I know they are different format, but that's really all I know)
ssh gpg
add a comment |Â
up vote
3
down vote
favorite
I recently created a PGP key to sign my commits and it's working properly. I also discovered that gpg integrates better with my O.S. (Kubuntu) than ssh-agent.
I'm lazy and would like to avoid having to replace my SSH key in all the various servers I've access to.
Is there any option for me to import my existing SSH key as a subkey of my PGP key and then run gpg agent with ssh-agent support so that when I run ssh something
it uses my subkey and uses gpg agent to ask for the passphrase?
Ideally I supply the passhprase only once, for my main PGP key and then whenever I commit or login through ssh, it uses the right one.
Is it possible? (I know they are different format, but that's really all I know)
ssh gpg
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I recently created a PGP key to sign my commits and it's working properly. I also discovered that gpg integrates better with my O.S. (Kubuntu) than ssh-agent.
I'm lazy and would like to avoid having to replace my SSH key in all the various servers I've access to.
Is there any option for me to import my existing SSH key as a subkey of my PGP key and then run gpg agent with ssh-agent support so that when I run ssh something
it uses my subkey and uses gpg agent to ask for the passphrase?
Ideally I supply the passhprase only once, for my main PGP key and then whenever I commit or login through ssh, it uses the right one.
Is it possible? (I know they are different format, but that's really all I know)
ssh gpg
I recently created a PGP key to sign my commits and it's working properly. I also discovered that gpg integrates better with my O.S. (Kubuntu) than ssh-agent.
I'm lazy and would like to avoid having to replace my SSH key in all the various servers I've access to.
Is there any option for me to import my existing SSH key as a subkey of my PGP key and then run gpg agent with ssh-agent support so that when I run ssh something
it uses my subkey and uses gpg agent to ask for the passphrase?
Ideally I supply the passhprase only once, for my main PGP key and then whenever I commit or login through ssh, it uses the right one.
Is it possible? (I know they are different format, but that's really all I know)
ssh gpg
ssh gpg
asked Jun 23 '17 at 3:07
Fire-Dragon-DoL
1164
1164
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
3
down vote
Found an easy approach. You need pem2openpgp
utility from monkeysphere project and gpg2
's ability to import existing key as subkey.
First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.
$ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import
Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K
(I set TEMP_USERID
to TEST
). Also write down keygrip of newly imported key:
$ gpg2 -K --with-keygrip $TEMP_USERID
sec rsa4096 2018-03-02 [C]
21C766CAC691F395D640E8207E9F9F883D1E49D8
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
uid [ unknown] TEST
Now use gpg2 --expert --edit-key
on your master key and import above key as your subkey:
$ gpg2 --expert --edit-key $YOURUSERID
gpg> addkey
......
(13) Existing key
Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
......
gpg2
will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).
After this you should have the imported SSH key as your master key's subkey. Check it:
$ gpg2 -K $YOURUSERID --with-keygrip
sec rsa4096 2016-02-02 [SC]
......
uid [ ç»Â对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
......
ssb rsa4096 2018-02-21 [A]
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
You can use gpg2 --export-ssh-key
to verify the imported subkey is indeed the same as original SSH key.
Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID
also deletes imported subkey.
My solution is to backup private keys in ~/.gnupg/private-keys-v1.d
and move it back after gpg2
removed imported subkey.
I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808
add a comment |Â
up vote
1
down vote
All that you need:
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
ssh-add ~/.ssh/id_rsa
Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup
.
Now you can do an SSH login for testing.
After all, remember to add the Environments to your profile, like .profile
or ~/.bashrc
.
(Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/
and with keygrip as its name, which can be used to be added as a subkey.
Reference:
https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html
New contributor
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
Found an easy approach. You need pem2openpgp
utility from monkeysphere project and gpg2
's ability to import existing key as subkey.
First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.
$ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import
Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K
(I set TEMP_USERID
to TEST
). Also write down keygrip of newly imported key:
$ gpg2 -K --with-keygrip $TEMP_USERID
sec rsa4096 2018-03-02 [C]
21C766CAC691F395D640E8207E9F9F883D1E49D8
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
uid [ unknown] TEST
Now use gpg2 --expert --edit-key
on your master key and import above key as your subkey:
$ gpg2 --expert --edit-key $YOURUSERID
gpg> addkey
......
(13) Existing key
Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
......
gpg2
will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).
After this you should have the imported SSH key as your master key's subkey. Check it:
$ gpg2 -K $YOURUSERID --with-keygrip
sec rsa4096 2016-02-02 [SC]
......
uid [ ç»Â对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
......
ssb rsa4096 2018-02-21 [A]
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
You can use gpg2 --export-ssh-key
to verify the imported subkey is indeed the same as original SSH key.
Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID
also deletes imported subkey.
My solution is to backup private keys in ~/.gnupg/private-keys-v1.d
and move it back after gpg2
removed imported subkey.
I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808
add a comment |Â
up vote
3
down vote
Found an easy approach. You need pem2openpgp
utility from monkeysphere project and gpg2
's ability to import existing key as subkey.
First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.
$ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import
Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K
(I set TEMP_USERID
to TEST
). Also write down keygrip of newly imported key:
$ gpg2 -K --with-keygrip $TEMP_USERID
sec rsa4096 2018-03-02 [C]
21C766CAC691F395D640E8207E9F9F883D1E49D8
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
uid [ unknown] TEST
Now use gpg2 --expert --edit-key
on your master key and import above key as your subkey:
$ gpg2 --expert --edit-key $YOURUSERID
gpg> addkey
......
(13) Existing key
Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
......
gpg2
will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).
After this you should have the imported SSH key as your master key's subkey. Check it:
$ gpg2 -K $YOURUSERID --with-keygrip
sec rsa4096 2016-02-02 [SC]
......
uid [ ç»Â对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
......
ssb rsa4096 2018-02-21 [A]
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
You can use gpg2 --export-ssh-key
to verify the imported subkey is indeed the same as original SSH key.
Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID
also deletes imported subkey.
My solution is to backup private keys in ~/.gnupg/private-keys-v1.d
and move it back after gpg2
removed imported subkey.
I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808
add a comment |Â
up vote
3
down vote
up vote
3
down vote
Found an easy approach. You need pem2openpgp
utility from monkeysphere project and gpg2
's ability to import existing key as subkey.
First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.
$ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import
Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K
(I set TEMP_USERID
to TEST
). Also write down keygrip of newly imported key:
$ gpg2 -K --with-keygrip $TEMP_USERID
sec rsa4096 2018-03-02 [C]
21C766CAC691F395D640E8207E9F9F883D1E49D8
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
uid [ unknown] TEST
Now use gpg2 --expert --edit-key
on your master key and import above key as your subkey:
$ gpg2 --expert --edit-key $YOURUSERID
gpg> addkey
......
(13) Existing key
Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
......
gpg2
will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).
After this you should have the imported SSH key as your master key's subkey. Check it:
$ gpg2 -K $YOURUSERID --with-keygrip
sec rsa4096 2016-02-02 [SC]
......
uid [ ç»Â对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
......
ssb rsa4096 2018-02-21 [A]
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
You can use gpg2 --export-ssh-key
to verify the imported subkey is indeed the same as original SSH key.
Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID
also deletes imported subkey.
My solution is to backup private keys in ~/.gnupg/private-keys-v1.d
and move it back after gpg2
removed imported subkey.
I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808
Found an easy approach. You need pem2openpgp
utility from monkeysphere project and gpg2
's ability to import existing key as subkey.
First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.
$ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import
Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K
(I set TEMP_USERID
to TEST
). Also write down keygrip of newly imported key:
$ gpg2 -K --with-keygrip $TEMP_USERID
sec rsa4096 2018-03-02 [C]
21C766CAC691F395D640E8207E9F9F883D1E49D8
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
uid [ unknown] TEST
Now use gpg2 --expert --edit-key
on your master key and import above key as your subkey:
$ gpg2 --expert --edit-key $YOURUSERID
gpg> addkey
......
(13) Existing key
Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
......
gpg2
will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).
After this you should have the imported SSH key as your master key's subkey. Check it:
$ gpg2 -K $YOURUSERID --with-keygrip
sec rsa4096 2016-02-02 [SC]
......
uid [ ç»Â对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
......
ssb rsa4096 2018-02-21 [A]
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
You can use gpg2 --export-ssh-key
to verify the imported subkey is indeed the same as original SSH key.
Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID
also deletes imported subkey.
My solution is to backup private keys in ~/.gnupg/private-keys-v1.d
and move it back after gpg2
removed imported subkey.
I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808
answered Mar 2 at 3:02
cuihao
464
464
add a comment |Â
add a comment |Â
up vote
1
down vote
All that you need:
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
ssh-add ~/.ssh/id_rsa
Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup
.
Now you can do an SSH login for testing.
After all, remember to add the Environments to your profile, like .profile
or ~/.bashrc
.
(Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/
and with keygrip as its name, which can be used to be added as a subkey.
Reference:
https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html
New contributor
add a comment |Â
up vote
1
down vote
All that you need:
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
ssh-add ~/.ssh/id_rsa
Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup
.
Now you can do an SSH login for testing.
After all, remember to add the Environments to your profile, like .profile
or ~/.bashrc
.
(Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/
and with keygrip as its name, which can be used to be added as a subkey.
Reference:
https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html
New contributor
add a comment |Â
up vote
1
down vote
up vote
1
down vote
All that you need:
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
ssh-add ~/.ssh/id_rsa
Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup
.
Now you can do an SSH login for testing.
After all, remember to add the Environments to your profile, like .profile
or ~/.bashrc
.
(Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/
and with keygrip as its name, which can be used to be added as a subkey.
Reference:
https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html
New contributor
All that you need:
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
ssh-add ~/.ssh/id_rsa
Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup
.
Now you can do an SSH login for testing.
After all, remember to add the Environments to your profile, like .profile
or ~/.bashrc
.
(Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/
and with keygrip as its name, which can be used to be added as a subkey.
Reference:
https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html
New contributor
New contributor
answered 9 mins ago
King's Way
111
111
New contributor
New contributor
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f372879%2fimport-my-ssh-key-as-gpg-sub-key-to-use-for-ssh-authentication%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password