NAME¶
openpgp2ssh —
translate OpenPGP keys to SSH keys
SYNOPSIS¶
gpg --export $KEYID | openpgp2ssh $KEYID |
|
gpg --export-secret-key $KEYID | openpgp2ssh
$KEYID |
|
DESCRIPTION¶
openpgp2ssh < mykey.gpg takes an OpenPGP-formatted primary
key and associated subkeys on standard input, and spits out the requested
equivalent SSH-style key on standard output.
If the data on standard input contains no subkeys, you can invoke
openpgp2ssh < mykey.gpg without arguments. If the data on
standard input contains multiple keys (e.g. a primary key and associated
subkeys), you must specify a specific OpenPGP key identifier as the first
argument to indicate which key to export. The key ID is normally the 40 hex
digit OpenPGP fingerprint of the key or subkey desired, but
openpgp2ssh < mykey.gpg will accept as few as the last 8
digits of the fingerprint as a key ID.
If the input contains an OpenPGP RSA public key, it will be converted to the
OpenSSH-style single-line keystring, prefixed with the key type (`ssh-rsa').
This format is suitable (with minor alterations) for insertion into
known_hosts files and authorized_keys files.
If the input contains an OpenPGP RSA secret key, it will be converted to the
equivalent PEM-encoded private key.
openpgp2ssh < mykey.gpg is part of the
monkeysphere(7) framework for providing a PKI for SSH.
CAVEATS¶
The keys produced by this process are stripped of all identifying information,
including certifications, self-signatures, etc. This is intentional, since ssh
attaches no inherent significance to these features.
openpgp2ssh < mykey.gpg will produce output for any
requested RSA key. This means, among other things, that it will happily export
revoked keys, unverifiable keys, expired keys, etc. Make sure you do your own
key validation before using this tool!
EXAMPLES¶
gpg --export-secret-key $KEYID |
openpgp2ssh
$KEYID |
ssh-add -c /dev/stdin
This pushes the secret key into the active
ssh-agent(1). Tools
such as
ssh(1) which know how to talk to the
ssh-agent(1) can now rely on the key.
AUTHOR¶
openpgp2ssh < mykey.gpg and this man page were written by
Daniel Kahn Gillmor <dkg@fifthhorseman.net>.
BUGS¶
openpgp2ssh < mykey.gpg only works with RSA keys. DSA keys
are the only other key type available in both OpenPGP and SSH, but they are
currently unsupported by this utility.
openpgp2ssh < mykey.gpg only accepts raw OpenPGP packets on
standard input. It does not accept ASCII-armored input.
openpgp2ssh < mykey.gpg Currently only exports into
formats used by the OpenSSH. It should support other key output formats, such
as those used by
lsh(1) and
putty(1).
Secret key output is currently not passphrase-protected.
openpgp2ssh < mykey.gpg currently cannot handle
passphrase-protected secret keys on input.
SEE ALSO¶
pem2openpgp(1),
monkeysphere(1),
monkeysphere(7),
ssh(1),
monkeysphere-authentication(8),
monkeysphere-host(8)