Mailing List Archive: GnuPG: users

gnupg as ssh-agent

Index | Next | Previous | View Threaded

ingo.krabbe at eoa

Jul 10, 2009, 7:12 AM

Post #1 of 8 (1167 views)
Permalink

gnupg as ssh-agent

Hi,

I now tried to use the gpg-agent as a ssh-agent too, as I always started both
agents anyway. Now I wonder if I could also use my GnuPG Key as a key for a
ssh session too, which would be quite convenient.

Actually I wonder why the gpg-agent runs in ssh-agent mode, if the latter isn't
possible, and further, why the latter shouldn't be possible as both keys are
just containers for the same algortihm, though gpg supports more algorithms
than ssh, at least for RSA and DSA keys this statement should hold.

TIA

Ingo Krabbe

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

benjamin at py-soft

Jul 10, 2009, 9:25 AM

Post #2 of 8 (1107 views)
Permalink

Re: gnupg as ssh-agent [In reply to]

2009/7/10 Ingo Krabbe <ingo.krabbe [at] eoa>:
> I now tried to use the gpg-agent as a ssh-agent too, as I always started both
> agents anyway. Now I wonder if I could also use my GnuPG Key as a key for a
> ssh session too, which would be quite convenient.

man gpg-agent:

[...]

--enable-ssh-support

Enable emulation of the OpenSSH Agent protocol.

In this mode of operation, the agent does not only implement the
gpg-agent protocol, but also the agent protocol used by OpenSSH
(through a separate socket). Consequently, it should be possible to
use the gpg-agent as a drop-in replacement for the well known
ssh-agent.

SSH Keys, which are to be used through the agent, need to be added
to the gpg-agent initially through the ssh-add utility. When a key is
added, ssh-add will ask for the password of the provided key file and
send the unprotected key material to the agent; this causes the
gpg-agent to ask for a passphrase, which is to be used for encrypting
the newly received key and storing it in a gpg-agent specific
directory.

Once a key has been added to the gpg-agent this way, the gpg-agent
will be ready to use the key.

Note: in case the gpg-agent receives a signature request, the user
might need to be prompted for a passphrase, which is necessary for
decrypting the stored key. Since the ssh-agent protocol does not
contain a mechanism for telling the agent on which display/terminal it
is running, gpg-agent's ssh-support will use the TTY or X display
where gpg-agent has been started. To switch this display to the
current one, the following command may be used:

echo UPDATESTARTUPTTY | gpg-connect-agent

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

ingo.krabbe at eoa

Jul 10, 2009, 9:41 AM

Post #3 of 8 (1116 views)
Permalink

Re: gnupg as ssh-agent [In reply to]

On Fri, Jul 10, 2009 at 05:25:09PM +0100, Benjamin Donnachie wrote:
> 2009/7/10 Ingo Krabbe <ingo.krabbe [at] eoa>:
> > I now tried to use the gpg-agent as a ssh-agent too, as I always started both
> > agents anyway. Now I wonder if I could also use my GnuPG Key as a key for a
> > ssh session too, which would be quite convenient.
>
> man gpg-agent:
>
> [...]
>
> --enable-ssh-support
[...]
> SSH Keys, which are to be used through the agent, need to be added
> to the gpg-agent initially through the ssh-add utility. When a key is
> added, ssh-add will ask for the password of the provided key file and
> send the unprotected key material to the agent; this causes the
> gpg-agent to ask for a passphrase, which is to be used for encrypting
> the newly received key and storing it in a gpg-agent specific
> directory.
[...]

Of course I read that (multiple times to find the hidden secret), but that
doesn't answers the question, as I want to use my GnuPG Identity for the SSH
Identity.

I already ssh-add'ed my ssh keys and it worked. Now I want to add my GnuPG Key
to the ssh-agent part and asked if this is possible.

Actually both keys only contain RSA (in my case), so theoretically there's
only the container format between both systems, as fas as I can say. What I'm
searching for is one key container for all systems.

Best regards,

I n g o K r a b b e

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

dkg at fifthhorseman

Jul 10, 2009, 9:58 AM

Post #4 of 8 (1118 views)
Permalink

Re: gnupg as ssh-agent [In reply to]

On 07/10/2009 12:41 PM, Ingo Krabbe wrote:
> Of course I read that (multiple times to find the hidden secret), but that
> doesn't answers the question, as I want to use my GnuPG Identity for the SSH
> Identity.

If you have an authentication-capable subkey on your OpenPGP key, you
might be interested in monkeysphere (http://web.monkeysphere.info/),
which has some tools for importing authentication-capable RSA subkeys
into a running ssh-agent.

i'm part of upstream on the monkeysphere project, and i recommend using
OpenSSH's implementation of ssh-agent over any other implementation,
including the implementation in gnupg-agent. The OpenSSH folks have
done a really solid job for every day use.

> Actually both keys only contain RSA (in my case), so theoretically there's
> only the container format between both systems, as fas as I can say. What I'm
> searching for is one key container for all systems.

As far as i know, that doesn't exist yet, but i'd like to see it as well.

-dkg

Attachments:

signature.asc (0.87 KB)

ingo.krabbe at eoa

Jul 10, 2009, 5:22 PM

Post #5 of 8 (1104 views)
Permalink

Re: gnupg as ssh-agent [In reply to]

On Fri, Jul 10, 2009 at 12:58:16PM -0400, Daniel Kahn Gillmor wrote:
> On 07/10/2009 12:41 PM, Ingo Krabbe wrote:
> > Of course I read that (multiple times to find the hidden secret), but that
> > doesn't answers the question, as I want to use my GnuPG Identity for the SSH
> > Identity.
>
> If you have an authentication-capable subkey on your OpenPGP key, you
> might be interested in monkeysphere (http://web.monkeysphere.info/),
> which has some tools for importing authentication-capable RSA subkeys
> into a running ssh-agent.
>
> i'm part of upstream on the monkeysphere project, and i recommend using
> OpenSSH's implementation of ssh-agent over any other implementation,
> including the implementation in gnupg-agent. The OpenSSH folks have
> done a really solid job for every day use.

[from monkeyspere documentation]
Then hand off the authentication subkey to the agent (Note: the GnuTLS library
supports this operation as of version 2.6, but earlier versions do not):

$ monkeysphere subkey-to-ssh-agent
[eof monkeyspere documentation]

Seems to do what I searched for somehow. I wonder what special preparations
$ monkeysphere gen-subkey
does to the subkey.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

dkg at fifthhorseman

Jul 11, 2009, 6:57 AM

Post #6 of 8 (1093 views)
Permalink

Re: gnupg as ssh-agent [In reply to]

On 07/10/2009 08:22 PM, Ingo Krabbe wrote:
> [from monkeyspere documentation]
> Then hand off the authentication subkey to the agent (Note: the GnuTLS library
> supports this operation as of version 2.6, but earlier versions do not):
>
> $ monkeysphere subkey-to-ssh-agent
> [eof monkeyspere documentation]

hum, we're no longer relying on GnuTLS -- those docs should be updated!

> Seems to do what I searched for somehow. I wonder what special preparations
> $ monkeysphere gen-subkey
> does to the subkey.

All it does is to set the authentication-capable flag, use RSA of a
requested length (it should default to gpg's default size).

--dkg

Attachments:

signature.asc (0.87 KB)

hawke at hawkesnest

Jul 17, 2009, 5:40 PM

Post #7 of 8 (1037 views)
Permalink

Re: gnupg as ssh-agent [In reply to]

Daniel Kahn Gillmor wrote:

> If you have an authentication-capable subkey on your OpenPGP key, you
> might be interested in monkeysphere (http://web.monkeysphere.info/),
> which has some tools for importing authentication-capable RSA subkeys
> into a running ssh-agent.

Why is it that GnuPG can expose an authentication-capable subkey from an
OpenPGP smartcard via OpenSSH, but can't expose an
authentication-capable subkey from its keyring?

Or can it, but I'm doing something completely wrong?

-Alex Mauer "hawke"

Attachments:

signature.asc (0.25 KB)

dkg at fifthhorseman

Jul 20, 2009, 2:22 PM

Post #8 of 8 (1023 views)
Permalink

Re: gnupg as ssh-agent [In reply to]

On 07/17/2009 08:40 PM, Alex Mauer wrote:
> Daniel Kahn Gillmor wrote:
>
>> If you have an authentication-capable subkey on your OpenPGP key, you
>> might be interested in monkeysphere (http://web.monkeysphere.info/),
>> which has some tools for importing authentication-capable RSA subkeys
>> into a running ssh-agent.
>
> Why is it that GnuPG can expose an authentication-capable subkey from an
> OpenPGP smartcard via OpenSSH, but can't expose an
> authentication-capable subkey from its keyring?

I haven't been able to get the one OpenPGP smartcard i've fooled around
with to work (maybe i have a crappy reader), so i can't comment on
whether GnuPG can actually expose that through it's ssh-agent emulation.

The monkeysphere package i described above actually *can't* send a key
from the GPG smartcard through to a separate (non-gpg-agent) ssh-agent,
though -- it extracts the relevant subkey, transforms its RSA key
material to a form that ssh-agent can read, and hands it off directly.

> Or can it, but I'm doing something completely wrong?

I've never been able to convince gpg-agent to treat a gpg key as key for
ssh-agent myself, but perhaps Werner or David can comment on whether
that's actually possible or intended. I agree it would be a useful
feature, but i prefer OpenSSH's ssh-agent implementation over the
gpg-agent implementation of the same protocol.

--dkg

Attachments:

signature.asc (0.87 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads