I generated a PGP key with GnuPG over a year ago. Since I haven't had to really touch it since, I'm extremely foggy on the ins and outs of GPG (though I understand asymmetric key encryption in principle). I had used this key to authenticate SSH logins, right up until accidentally deleted it yesterday. So, today, I set out to generate it again.
I run gpg --export-secret-key -a "Ryan Lue" > ~/.ssh/id_rsa
, and it prompts me for a password. I enter the password, and out comes the id_rsa
file. Now, when I try to SSH into my servers, it throws the following warning:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
So, I obediently chmod 600 ~/.ssh/id_rsa
. Then, I try again, and it prompts for a password (actually, since I'm on a Mac, Keychain prompts me for a password). I enter the same password I used to export it, and each time, it fails, spitting out the following error on the command line:
Saving password to keychain failed
I've also tried adding the key using ssh-agent
, and that actually prompts me for the password on the command line:
Enter passphrase for /Users/rlue/.ssh/id_rsa:
Either way, it keeps rejecting the password. I'm 100% sure I'm entering the same passphrase at these prompts as I do to export it: I've successfully exported the key about a dozen times and failed to authenticate it in use about four dozen times.
What am I missing?
Best Answer
OpenPGP (as implemented by GnuPG) and SSH do not share a common key format, although they rely on the same cryptographic principles.
GnuPG implements the
ssh-agent
protocol, though, so you can still use your OpenPGP keys through GnuPG for SSHing into other computers.ssh-agent
protocol by addingenable-ssh-support
to~/.gnupg/gpg-agent.conf
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh
; you might want to do that in your~/.profile
ssh-agent
if started and reloadgpg-agent
(gpg-connect-agent reloadagent /bye
)ssh-add -L
should now contain the familiar SSH public key line for your OpenPGP key)ssh
to the target server as with a normal SSH keyThis also works great with OpenPGP smartcards or USB dongles, I'm using this to protect my SSH key with a YubiKey.