Private key export for SSH

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Private key export for SSH

John Lane
I've been trying out the SSH compatibility. Everything working as per
the documentation, except I have one question.

How can I extract the SSH PRIVATE key ?

I am using "gpg --export-ssh-key alice > ssh_key.pub" for the public key
but I can't find an equivalent for the private key.

The reason why I would like the private key is so that I can use it on
another host where I don't have the benefit of gpg 2.1 (or any gpg, for
that matter).

Thanks,
John


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Private key export for SSH

dalek
Would

gpg --export-secret-keys -a C00FFEE > secret

do the trick?

On Mon, Oct 10, 2016 at 4:56 PM, John Lane <[hidden email]> wrote:

> I've been trying out the SSH compatibility. Everything working as per
> the documentation, except I have one question.
>
> How can I extract the SSH PRIVATE key ?
>
> I am using "gpg --export-ssh-key alice > ssh_key.pub" for the public key
> but I can't find an equivalent for the private key.
>
> The reason why I would like the private key is so that I can use it on
> another host where I don't have the benefit of gpg 2.1 (or any gpg, for
> that matter).
>
> Thanks,
> John
>
>
> _______________________________________________
> Gnupg-users mailing list
> [hidden email]
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Private key export for SSH

John Lane
On 10/10/16 21:12, Mauricio Tavares wrote:
> Would
>
> gpg --export-secret-keys -a C00FFEE > secret
>
> do the trick?
No, because that exports a gpg keyring and not an ssh private key.

One might imply the below is possible, but the error would indicate that
it isnt:

    $ gpg --export-secret-keys --export-ssh-key alice
    gpg: conflicting commands


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Private key export for SSH

Peter Lebbing
In reply to this post by John Lane
On 10/10/16 22:56, John Lane wrote:
> The reason why I would like the private key is so that I can use it on
> another host where I don't have the benefit of gpg 2.1 (or any gpg, for
> that matter).

I don't know if you can do private key export; perhaps with monkeysphere?

Here's a different idea. An .ssh/authorized_keys file is a list of text
lines, each line being a single authentication key. Normally, you append
the contents of id_xxx.pub, a single line, to an .ssh/authorized_keys
file to add that key.

How about you just create a separate key for the machine where you don't
use GnuPG, and then create a .pub file that contains two lines, one for
the GnuPG key and one for the other key?

$ rsync other:.ssh/id_rsa.pub combined.pub
$ gpg --export-ssh-key alice >> combined.pub

Note the second command appends to combined.pub.

Then any time you add combined.pub to an .ssh/authorized_keys file,
you're adding both keys, with the same procedure you would normally add
a single key, no extra clicks, nothing :-).

HTH.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Private key export for SSH

John Lane
> I don't know if you can do private key export; perhaps with monkeysphere?

I have Monkeysphere on my radar but I haven't got around to trying it
out. I had hoped for a gpg solution without resorting to third party...

> How about you just create a separate key for the machine where you don't
> use GnuPG, and then create a .pub file that contains two lines, one for
> the GnuPG key and one for the other key?

Yes sure I could do that (and do) but I hoped for way to export the ssh
private key from gpg. It feels cleaner to me to just have one key.

So it sounds like it isn't possible then. Is there a reason why, beyond
the possibility that it just hasn't been implemented? I would have
thought doing this would complete the circle as far as gpg keys being
used for ssh...


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Private key export for SSH

Peter Lebbing
On 11/10/16 13:46, John Lane wrote:
> I have Monkeysphere on my radar but I haven't got around to trying
> it out. I had hoped for a gpg solution without resorting to third
> party...

I think I vaguely remember Monkeysphere supporting it.

> Yes sure I could do that (and do) but I hoped for way to export the
> ssh private key from gpg. It feels cleaner to me to just have one
> key.

(I'd consider key-per-user/workstation-combo cleaner :-)

> Is there a reason why, beyond the possibility that it just hasn't
> been implemented?

I think other features simply were more important, and got priority...

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Private key export for SSH

Daniel Kahn Gillmor-7
On Tue 2016-10-11 09:35:37 -0400, Peter Lebbing wrote:
> On 11/10/16 13:46, John Lane wrote:
>> I have Monkeysphere on my radar but I haven't got around to trying
>> it out. I had hoped for a gpg solution without resorting to third
>> party...
>
> I think I vaguely remember Monkeysphere supporting it.

fwiw, monkeysphere doesn't explicitly support exporting OpenPGP secret
key material to arbitrary formats.

Rather, modern versions of monkeysphere (the ones that support gpg 2.1)
include agent-transfer, a tool that knows how to export secret key
material from a running gpg-agent and import into a running ssh agent.

See the agent-transfer(1) manual page for more details.

Regards,

    --dkg

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (947 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Private key export for SSH

John Lane

>>
>> I think I vaguely remember Monkeysphere supporting it.
>
> fwiw, monkeysphere doesn't explicitly support exporting OpenPGP secret
> key material to arbitrary formats.
>

Ok, I have done it using "openpgp2ssh" from monkeysphere (I just
installed 0.39 just to get that tool).

The key has to be extracted and its password removed before it can be
used with openpgp2ssh, hence my use of a temporary homedir in the below.

Here is what I have done:


First the public key:

$ ssh-add -L > alice.key.pub

or

$ gpg --export alice | openpgp2ssh DD53AC86 > alice.key.pub

where DD53AC86 is the id of the autentication subkey.

Next the secret key:

$ gpg --export-secret-key alice > alice.gpg
$ mkdir -m 700 .gnupg-temp
$ gpg --homedir .gnupg-temp --import alice.gpg
$ gpg --homedir .gnupg-temp --passwd alice
  (remove the passwords)
$ gpg --homedir .gnupg-temp --export-secret-key alice | \
  openpgp2ssh DD53AC86 > alice.key
$ chmod 600 alice.key

With the above, I successfully connect to a remote (after putting
alice.key.pub in its authorized_keys file):

$ ssh -i alice.key some_host

However, I note that the the agent complains with:

> sign_and_send_pubkey: signing failed: agent refused operation

so I unset the SSH_AUTH_SOCK after which the ssh command worked. I might
have done something else wrong because I would not expect to have to do
that.


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Private key export for SSH

John Lane
This is just an observation. I thought that perhaps, if I had an
extracted private key, that I could use "ssh-add" to add it and remove
the need to manually edit "sshcontrol". I tried:

$ ssh-add alice.key
Identity added: alice.key (alice.key)

Looking good. However...

$ ssh-add -l
The agent has no identities.

No joy. I realise the documented way is to edit the sshcontrol file and
put the keygrip into it. But the positive output above is misleading.

That's where gpg knows about the key (e.g. on the machine where the
extract was done). The "ssh-add alice.key" works if the key is unknown
to gpg - the keygrip is written to sshcontrol and to private-keys-v1.d.
furthermore, importing the alice.gpg key afterwards works fine too.

# RSA key added on: 2016-10-12 15:44:05
# MD5 Fingerprint:  d0:d1:43:af:ec:4a:4c:92:7c:af:1f:70:92:13:89:16
817A3B5A8596096E8AC2932617C10E4181F09B55 0


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Private key export for SSH

Daniel Kahn Gillmor-7
On Wed 2016-10-12 11:52:19 -0400, John Lane wrote:

> This is just an observation. I thought that perhaps, if I had an
> extracted private key, that I could use "ssh-add" to add it and remove
> the need to manually edit "sshcontrol". I tried:
>
> $ ssh-add alice.key
> Identity added: alice.key (alice.key)
>
> Looking good. However...
>
> $ ssh-add -l
> The agent has no identities.
>
> No joy. I realise the documented way is to edit the sshcontrol file and
> put the keygrip into it. But the positive output above is misleading.
>
> That's where gpg knows about the key (e.g. on the machine where the
> extract was done). The "ssh-add alice.key" works if the key is unknown
> to gpg - the keygrip is written to sshcontrol and to private-keys-v1.d.
> furthermore, importing the alice.gpg key afterwards works fine too.
>
> # RSA key added on: 2016-10-12 15:44:05
> # MD5 Fingerprint:  d0:d1:43:af:ec:4a:4c:92:7c:af:1f:70:92:13:89:16
> 817A3B5A8596096E8AC2932617C10E4181F09B55 0
It looks to me like you're referring to
https://bugs.gnupg.org/gnupg/issue2316 , which was marked as "resolved".

I just re-opened it to "chatting".

  --dkg

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (947 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Private key export for SSH

Justus Winter
Hi John :)

Daniel Kahn Gillmor <[hidden email]> writes:

> On Wed 2016-10-12 11:52:19 -0400, John Lane wrote:
>> This is just an observation. I thought that perhaps, if I had an
>> extracted private key, that I could use "ssh-add" to add it and remove
>> the need to manually edit "sshcontrol". I tried:
>>
>> $ ssh-add alice.key
>> Identity added: alice.key (alice.key)
>>
>> Looking good. However...
>>
>> $ ssh-add -l
>> The agent has no identities.
>>
>> No joy. I realise the documented way is to edit the sshcontrol file and
>> put the keygrip into it. But the positive output above is misleading.
John, can you please tell us which version of GnuPG you are using, and
just to be sure, also check that

  gpg-connect-agent 'getinfo version' /bye

prints the expected version number?


Thanks,
Justus

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (463 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Private key export for SSH

John Lane

>
> John, can you please tell us which version of GnuPG you are using, and
> just to be sure, also check that
>
>   gpg-connect-agent 'getinfo version' /bye
>
> prints the expected version number?
>
>

$ gpg --version
gpg (GnuPG) 2.1.14
libgcrypt 1.7.2

$ gpg-agent --version
gpg-agent (GnuPG) 2.1.14
libgcrypt 1.7.2

$ gpg-connect-agent 'getinfo version' /bye
D 2.1.14
OK

Also, in case it's useful:

$ uname -srvm
Linux 4.6.4-1-ARCH #1 SMP PREEMPT Mon Jul 11 19:30:13 CEST 2016 i686

$ $ pacman -Qo gpg
/usr/bin/gpg is owned by gnupg 2.1.14-1

$ cat /etc/os-release
NAME="Arch Linux"
ID=arch
PRETTY_NAME="Arch Linux"
ANSI_COLOR="0;36"
HOME_URL="https://www.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://bugs.archlinux.org/"

HTH
John



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Private key export for SSH

Justus Winter
John Lane <[hidden email]> writes:

>>
>> John, can you please tell us which version of GnuPG you are using, and
>> just to be sure, also check that
>>
>>   gpg-connect-agent 'getinfo version' /bye
>>
>> prints the expected version number?
>>
>>
>
> $ gpg --version
> gpg (GnuPG) 2.1.14
> libgcrypt 1.7.2
Thanks.  That bug is fixed in GnuPG 2.1.15.

Justus

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (463 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Private key export for SSH

John Lane

>
> Thanks.  That bug is fixed in GnuPG 2.1.15.
>
> Justus
>

Thanks Justus. I have just updated my system and now have 2.1.15 and I
can confirm that it works as one would expect.


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users