Ssh – Can’t use OpenPGP key exported from GnuPG with SSH

gpgsshssh-agent

I generated a PGP key with GnuPG over a year ago. Since I haven't had to really touch it since, I'm extremely foggy on the ins and outs of GPG (though I understand asymmetric key encryption in principle). I had used this key to authenticate SSH logins, right up until accidentally deleted it yesterday. So, today, I set out to generate it again.

I run gpg --export-secret-key -a "Ryan Lue" > ~/.ssh/id_rsa, and it prompts me for a password. I enter the password, and out comes the id_rsa file. Now, when I try to SSH into my servers, it throws the following warning:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

So, I obediently chmod 600 ~/.ssh/id_rsa. Then, I try again, and it prompts for a password (actually, since I'm on a Mac, Keychain prompts me for a password). I enter the same password I used to export it, and each time, it fails, spitting out the following error on the command line:

Saving password to keychain failed

I've also tried adding the key using ssh-agent, and that actually prompts me for the password on the command line:

Enter passphrase for /Users/rlue/.ssh/id_rsa:

Either way, it keeps rejecting the password. I'm 100% sure I'm entering the same passphrase at these prompts as I do to export it: I've successfully exported the key about a dozen times and failed to authenticate it in use about four dozen times.

What am I missing?

Best Answer

OpenPGP (as implemented by GnuPG) and SSH do not share a common key format, although they rely on the same cryptographic principles.

GnuPG implements the ssh-agent protocol, though, so you can still use your OpenPGP keys through GnuPG for SSHing into other computers.

enable the ssh-agent protocol by adding enable-ssh-support to ~/.gnupg/gpg-agent.conf
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh; you might want to do that in your ~/.profile
kill ssh-agent if started and reload gpg-agent (gpg-connect-agent reloadagent /bye)
export and add your public key to target servers (ssh-add -L should now contain the familiar SSH public key line for your OpenPGP key)
ssh to the target server as with a normal SSH key

This also works great with OpenPGP smartcards or USB dongles, I'm using this to protect my SSH key with a YubiKey.

Related Solutions

Ssh – need to insert the passphrase for an RSA key on a remote host after SSH

You solved part of your issue with the use of keychain to act as storage for your passphrases for your SSH keys. As to your other question:

However, I am not sure if it is worth to encrypt a private key which is only used for ssh connection to a specific server. Is there any concrete security risk by not encrypting the private keys? In principle if one is able to access the private key he/she is also able to use the passwords stored in the keychain...so it seems that there might not be a big advantage in encrypting the private keys

It's not that your private keys are left unencrypted, it's that they're not protected with a passphrase. Therefore anyone that can gain access to your home directory's .ssh directory can get control of your SSH keys without issue.

If you're comfortable with leaving these keys on a system that you have full control over then I see no issue with leaving them as passphrase-less. I would also recommend generating a different set of keys that you can leave on secondary systems such as this, or even a unique set just for this server, so that you can completely abandon it without much issue if you ever discover its been compromised.

As to using keychain to manage your keys, I see not much to be gained with having passphrases on SSH keys if you're using keychain to manage them, except that keychain will only store them when you use them. If you don't use the keys often, and are diligent about cleaning up keychain when you're finished, then a passphrase would be an advantage, but IMO, it's a small one.

SSH – How to Get Asked for SSH Key Passphrase Once and Only When Needed

Don't add anything to any of your shell startup scripts, this is unnecessary hackery.

Instead, add

AddKeysToAgent yes

to your .ssh/config

Like this, ssh-add is run automatically the first time you ssh into another box. You only have to re-enter your key when it expires from ssh-agent or after you reboot.

Best Answer

Related Solutions

Ssh – need to insert the passphrase for an RSA key on a remote host after SSH

SSH – How to Get Asked for SSH Key Passphrase Once and Only When Needed

Related Question