Re: MacGPG2 v2.0.17 released!
On Tue, 25 Jan 2011 00:03, benja...@py-soft.co.uk said: * Maximum key size increased to 8192 bits; recommended for expert users only I do not think this is a good idea. There is no point in such a long key size. The simplest reason against this is that the keysize is not the weakest link in the system - at least the bugs in the software prevail all such theoretical improvements. Another and real practical reason against such a long key is that it will unusable on my smartphone. From past experience we know that many users will use such ridiculous long keys. As of now I have only 1 8k RSA key in my keyring compared to 22 4k, 108 2k and 172 1k. I hope we can keep the number of 8k keys at bay until everyone will be using ECC. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MacGPG2 v2.0.17 released!
Op 25-1-2011 9:50, Werner Koch schreef: Another and real practical reason against such a long key is that it will unusable on my smartphone. What kind of smartphone do you have? Since when does GnuPG exists for phones? I would be really interested in a Symbian version, or I would have to wait for Meego to become adult. From past experience we know that many users will use such ridiculous long keys. Ah, the good old CKT builds. :-) As of now I have only 1 8k RSA key in my keyring compared to 22 4k, 108 2k and 172 1k. I hope we can keep the number of 8k keys at bay until everyone will be using ECC. I have a 3k ElGamal key (reasoning: 3k is supposed to be just a bit stronger than 128 bits which makes my secret key not the weakest point but also not longer than that, using 4k or even larger would make the symetric algo the weaker point), is 3k not an option for RSA? -- Met vriendelijke groet, Johan Wevers ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gpg for iPhone or iPad
I believe that the output you are complaining about may be normal. If you were using the MIME option which is available within Linux, you could generate a different output. I'm not sure that the MIME option is available in the iPhone however which is why I'm looking at the Android as it is a Linux variant. If you've an iPhone look for that option, also go to the Gnupg website and download the manual as there may be other tools available of interest -- if Apple didn't strip out essential tools and libraries which they do from time to time from OS X. I came across an article discussing the iPhone's vulnerability here: http://www.h-online.com/security/news/item/Vulnerability-in-iPhone-data-encryption-1008185.html Unfortunately, Apple is just beginning to move into security issues seriously which RIM (Blackberry) were always known for. Linux has several great security systems as a user is aware to implement -- which given how some Apple users are, I'm not sure that they are going to being interested in writing scripts to manipulate iptables or other tools, even if it is to their advantage. Unfortunately there is yet no happy means to be thoroughly secure with Apple although their technology sure is pretty. However, pretty doesn't cut it in the serious business or health/sciences environment where patient and client data must be kept pristine and protected. All the best... Derick On 1/24/2011 12:03 AM, hare krishna wrote: Hi, Can you please help me how can i avoid in printing the message at the time of decrypting gpg file. Here is the message gpg: Signature made Tue Jan 18 09:27:46 2011 PST using DSA key ID42D17C1B gpg: Good signature from Regards, Umesh On Sun, Jan 23, 2011 at 2:00 PM, Charly Avital shavi...@mac.com wrote: Derick Centeno wrote the following on 1/23/11 2:21 PM: I came across this article which may be of interest to others in this thread. Here's the article: http://anthonyvance.com/blog/forensics/iphone_encryption/ Thank you Derick, very interesting. I appreciate it, Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gpg for iPhone or iPad - Addendum
I believe that the output you are complaining about may be normal. If you were using the MIME option which is available within Linux, you could generate a different output. I'm not sure that the MIME option is available in the iPhone however which is why I'm looking at the Android as it is a Linux variant. If you've an iPhone look for that option, also go to the Gnupg website and download the manual as there may be other tools available of interest -- if Apple didn't strip out essential tools and libraries which they do from time to time from OS X. I came across an article discussing the iPhone's vulnerability here: http://www.h-online.com/security/news/item/Vulnerability-in-iPhone-data-encryption-1008185.html Unfortunately, Apple is just beginning to move into security issues seriously which RIM (Blackberry) were always known for. Linux has several great security systems as a user is aware to implement -- which given how some Apple users are, I'm not sure that they are going to being interested in writing scripts to manipulate iptables or other tools, even if it is to their advantage. Unfortunately there is yet no happy means to be thoroughly secure with Apple although their technology sure is pretty. However, pretty doesn't cut it in the serious business or health/sciences environment where patient and client data must be kept pristine and protected. All the best... Derick Addendum: As I mentioned the Android, Blackberry and Apple together, I believed it was only fair to share a different view and warning regarding security which was posted here: http://blog.ironkey.com/?p=1143 On 1/24/2011 12:03 AM, hare krishna wrote: Hi, Can you please help me how can i avoid in printing the message at the time of decrypting gpg file. Here is the message gpg: Signature made Tue Jan 18 09:27:46 2011 PST using DSA key ID42D17C1B gpg: Good signature from Regards, Umesh On Sun, Jan 23, 2011 at 2:00 PM, Charly Avital shavi...@mac.com wrote: Derick Centeno wrote the following on 1/23/11 2:21 PM: I came across this article which may be of interest to others in this thread. Here's the article: http://anthonyvance.com/blog/forensics/iphone_encryption/ Thank you Derick, very interesting. I appreciate it, Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MacGPG2 v2.0.17 released!
On 25 Jan 2011, at 08:55, Werner Koch w...@gnupg.org wrote: * Maximum key size increased to 8192 bits; recommended for expert users only I do not think this is a good idea. I personally agree with you and it was only implemented due to user demand. I'll look at a better way of implementing this request. Take care, Ben ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MacGPG2 v2.0.17 released!
On Jan 25, 2011, at 5:03 AM, Johan Wevers wrote: Op 25-1-2011 9:50, Werner Koch schreef: Another and real practical reason against such a long key is that it will unusable on my smartphone. What kind of smartphone do you have? Since when does GnuPG exists for phones? I would be really interested in a Symbian version, or I would have to wait for Meego to become adult. From past experience we know that many users will use such ridiculous long keys. Ah, the good old CKT builds. :-) As of now I have only 1 8k RSA key in my keyring compared to 22 4k, 108 2k and 172 1k. I hope we can keep the number of 8k keys at bay until everyone will be using ECC. I have a 3k ElGamal key (reasoning: 3k is supposed to be just a bit stronger than 128 bits which makes my secret key not the weakest point but also not longer than that, using 4k or even larger would make the symetric algo the weaker point), is 3k not an option for RSA? Yes, it is. In fact, 3k is the maximum size for a RSA key on the OpenPGP smartcard. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MacGPG2 v2.0.17 released!
On Tue, 25 Jan 2011 11:03, joh...@vulcan.xs4all.nl said: What kind of smartphone do you have? Since when does GnuPG exists for phones? I would be really interested in a Symbian version, or I would have to wait for Meego to become adult. N900 and HTC Touch Pro2, GnuPG 2.1 supports them. See http://userbase.kde.org/Kontact_Touch/ I have a 3k ElGamal key (reasoning: 3k is supposed to be just a bit stronger than 128 bits which makes my secret key not the weakest point but also not longer than that, using 4k or even larger would make the symetric algo the weaker point), is 3k not an option for RSA? Sure, it is faster than Elgamal. I merely looked at the RSA keys of my own keyring (fwiw: 4 3k RSA keys). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
SSH authentication using OpenPGP 2.0 smartcard
Hi, I've been successfully using OpenPGP smartcard for signing my Debian uploads for a while now. Today I wanted to set it up also for SSH public key authentication. I'm using: gnupg-2.0.17 libassuan-2.0.1 libgcrypt-1.4.6 libksba-1.1.0 pinentry-0.8.1 pinentry-qt-0.5.0 All installed into /usr/local. Signing files using gpg2 works excellent. But when I try: $ /usr/local/bin/gpg-agent -vv --daemon --enable-ssh-support --scdaemon-program /usr/local/bin/scdaemon gpg-agent[6534]: listening on socket `/tmp/gpg-sUL53i/S.gpg-agent' gpg-agent[6534]: listening on socket `/tmp/gpg-x8sB4W/S.gpg-agent.ssh' GPG_AGENT_INFO=/tmp/gpg-sUL53i/S.gpg-agent:6535:1; export GPG_AGENT_INFO; SSH_AUTH_SOCK=/tmp/gpg-x8sB4W/S.gpg-agent.ssh; export SSH_AUTH_SOCK; SSH_AGENT_PID=6535; export SSH_AGENT_PID; gpg-agent[6535]: gpg-agent (GnuPG) 2.0.17 started $ GPG_AGENT_INFO=/tmp/gpg-sUL53i/S.gpg-agent:6535:1; export GPG_AGENT_INFO; $ SSH_AUTH_SOCK=/tmp/gpg-x8sB4W/S.gpg-agent.ssh; export SSH_AUTH_SOCK; $ SSH_AGENT_PID=6535; export SSH_AGENT_PID; $ ssh shell.dug.net.pl gpg-agent[6535]: ssh handler 0x96e9348 for fd 7 started gpg-agent[6535]: received ssh request of length 1 gpg-agent[6535]: ssh request handler for request_identities (11) started gpg-agent[6535]: no running SCdaemon - starting it gpg-agent[6535]: DBG: first connection to SCdaemon established gpg-agent[6535]: ssh request handler for request_identities (11) ready gpg-agent[6535]: sending ssh response of length 183 gpg-agent[6535]: received ssh request of length 409 gpg-agent[6535]: ssh request handler for sign_request (13) started gpg-agent[6535]: DBG: detected card with S/N D276000124010205009E gpg-agent[6535]: starting a new PIN Entry gpg-agent[6535]: smartcard signing failed: Bad PIN gpg-agent[6535]: ssh request handler for sign_request (13) ready gpg-agent[6535]: sending ssh response of length 1 Agent admitted failure to sign using the key. Password: I get a pinentry-qt4 propmpt (just as for regular signing). But, as you can see, gpg-agent says the PIN's been invalid. At first I tried GnuPG shipped with Debian (gpg 2.0.14, libgcrypt 1.4.6). No luck, so I compiled newest GnuPG and dependencies (see beginning of this mail), but still doesn't work. I'm not sure if key's preferences are important, but I changed them from the default values to: gpg showpref [ unknown] (1). Patryk Cisek pat...@prezu.one.pl Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify [ unknown] (2) Prezu p...@interia.pl Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify [ unknown] (3) Patryk Cisek pat...@debian.org Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA1, SHA256, RIPEMD160 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify [ unknown] (4) Patryk Cisek pat...@dug.net.pl Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify [ revoked] (5) Patryk Cisek patr...@plusnet.pl Cipher: 3DES Digest: SHA1 Compression: ZIP, Uncompressed Features: Keyserver no-modify [ unknown] (6) Patryk Cisek patryk.ci...@gmail.com Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA1, SHA256, RIPEMD160 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify [ unknown] (7) Patryk Cisek 102...@student.pwr.wroc.pl Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH authentication using OpenPGP 2.0 smartcard
On 1/25/11 10:07 AM, Patryk Cisek wrote: Hi, I've been successfully using OpenPGP smartcard for signing my Debian uploads for a while now. Today I wanted to set it up also for SSH public key authentication. Did you create an authentication key? You might only have signing and encryption keys. You need a third key for authentication. (A quick look at pool.keyservers.net doesn't show an auth subkey.) I just setup Debian 6.0RC1 last week. I have a key I've already been using to ssh. I had no problems. Just needed to add some stuff to .bashrc as documented in the manpage for gpg-agent. -- Grant I am gravely disappointed. Again you have made me unleash my dogs of war. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH authentication using OpenPGP 2.0 smartcard
On 1/25/11 12:16 PM, Grant Olson wrote: I just setup Debian 6.0RC1 last week. I have a key I've already been using to ssh. I had no problems. Just needed to add some stuff to .bashrc as documented in the manpage for gpg-agent. Actually, I also needed to run 'gpgkey2ssh 0xDEADBEEF ~/.ssh/authorized_keys so I could ssh into the box as well. -- Grant I am gravely disappointed. Again you have made me unleash my dogs of war. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MacGPG2 v2.0.17 released!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 24 Jan 2011, at 23:03, Benjamin Donnachie wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 blah blah/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users I downloaded the new package and the detached key, but have not yet done anything with them. The email, when processed by my current macgpg2 installation (2.0.14) complains about Bad signature from Benjamin Donnachie benja...@py-soft.co.uk! No signature creation date available Key fingerprint: 7A88 447C 2EF4 209C 6D46 A1E8 49B8 D9AF 8FA3 F8B8 This is what gpg --list-sigs --fingerprint thinks about Ben's public key, after I did a gpg --refresj-keys (Ben's key was unchanged). I've had similar results for Alexander Willner as a...@willner.ws and as GPGTools Project Team (Official OpenPGP Key) gpgtools-...@lists.gpgtools.orgm although recent signatures from Charly Avital are good. pub 1024D/8FA3F8B8 2002-02-14 [expires: 2011-02-28] Key fingerprint = 7A88 447C 2EF4 209C 6D46 A1E8 49B8 D9AF 8FA3 F8B8 uid Benjamin Donnachie benja...@py-soft.co.uk sig A57A8EFA 2006-06-08 Charly Avital shavi...@netvision.net.il sig 38FA3F8B8 2008-09-07 Benjamin Donnachie benja...@py-soft.co.uk sig 38FA3F8B8 2006-02-12 Benjamin Donnachie benja...@py-soft.co.uk sig 38FA3F8B8 2006-07-14 Benjamin Donnachie benja...@py-soft.co.uk sig 38FA3F8B8 2007-08-18 Benjamin Donnachie benja...@py-soft.co.uk sig 38FA3F8B8 2009-10-27 Benjamin Donnachie benja...@py-soft.co.uk sig 38FA3F8B8 2010-02-28 Benjamin Donnachie benja...@py-soft.co.uk sig 38FA3F8B8 2008-09-16 Benjamin Donnachie benja...@py-soft.co.uk uid Benjamin Donnachie benjamin.donnac...@googlemail.com sig 38FA3F8B8 2008-09-16 Benjamin Donnachie benja...@py-soft.co.uk sig 38FA3F8B8 2009-10-27 Benjamin Donnachie benja...@py-soft.co.uk sig 38FA3F8B8 2010-02-28 Benjamin Donnachie benja...@py-soft.co.uk sig 38FA3F8B8 2008-09-07 Benjamin Donnachie benja...@py-soft.co.uk sub 4096R/74635136 2005-03-28 [expires: 2011-02-28] sig 8FA3F8B8 2010-02-28 Benjamin Donnachie benja...@py-soft.co.uk sub 4096R/F9B855FC 2005-03-29 [expires: 2011-02-28] sig 8FA3F8B8 2010-02-28 Benjamin Donnachie benja...@py-soft.co.uk Is this a non-fatal warning, or should I be paying attention to the message? If so, how can I fix whatever is going wrong? Regards, Andy - - -- Andrew Long andrew dot long at mac dot com - -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAk0/CjwACgkQRL8D6wymVNbeYQD/frX2aEwvkGgq5pzUsuDdWiPF hZKzuhuo/d8cRgGZ6xoA/2JRMRxNOXtPL5zyORBfENev8Ngkvg6kbyb9u/8yKScI =J2M/ - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAk0/D2EACgkQRL8D6wymVNblAgD8D8zA182SDUFatUY5Gop7QVL0 lZW3y4VtLapKv49uDJAA/1/aQr7+v+aX4ZWcKLj7sJqwfAqyu8ELTPBqEefmAwaG =QdTX -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [gpgtools-users] MacGPG2 v2.0.17 released!
On Tue, Jan 25, 2011 at 05:58:41PM +, Andrew Long wrote: I downloaded the new package and the detached key, but have not yet done anything with them. The email, when processed by my current macgpg2 installation (2.0.14) complains about Bad signature from Benjamin Donnachie benja...@py-soft.co.uk! No signature creation date available Key fingerprint: 7A88 447C 2EF4 209C 6D46 A1E8 49B8 D9AF 8FA3 F8B8 Is this a non-fatal warning, or should I be paying attention to the message? If so, how can I fix whatever is going wrong? For what it's worth... using gpg on my linux box with the mutt mail client also complains about bad signatures on Benjamin's emails. Cheers, Remco signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH authentication using OpenPGP 2.0 smartcard
On Tue, 25 Jan 2011 18:39, k...@grant-olson.net said: Actually, I also needed to run 'gpgkey2ssh 0xDEADBEEF ~/.ssh/authorized_keys so I could ssh into the box as well. You should use ssh-add -L which gives you the public key. The comment field has the card number. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Future plans for implementation of other algorithms
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Just out of curiosity (this might be the wrong mailing list for this so I apologize in advance if that is the case), are there any plans for implementing any other encryption/signing algorithms in GPG and if so what are they? - -- Joseph Ziff jziff[at]sindegra.com, jziff[at]haverford.edu, jziff[at]member.fsf.org This email was signed for authenticity with GnuPG version 2.0.17. See http://www.gnupg.org for information on state-of-the-art secure signing and encryption software compatible with the openPGP standard. Reclaim your right to privacy now. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAEBCgAGBQJNP3HnAAoJEBunZXhXXdg2bggQAJdHAPUHZAakyfZzbzPiam/P EjJw+wx9cz8frubZHVvHb6BOVNGUQnSR/I2rbzZB2zlGuiG4ZogTPkYCtQl1XYlt 0Z2XKI0Cb5/BSlK4sS5G49HTzDTDHAFmyE69LTj1lJtC4FT7JSGmlZr66/5A8DR6 85YzjYU0ZnaZu2KlmwYcla3XDOpHIAy7D/KYaWFHyazTDcsUcL70mae0bEf+eCd+ i8lj9wip5C5ZNQVCAa3DPyOtdbi8fyzSV2whif2KC3C32lg6qZjEWcAQ/VJM1s+N jQJL+BG9VExzOkiCz2Ct+95aFUM9OZ+LvoxmVgzSvbTFXyWBmYV71mF+P+IYZvCu iJnwPZAAGEgRCbCqIGAiC260aey47MwjjNGBYpRcClkTXmS931z/UnQ9pujqAosw OxR84yEgo8oOePSGVQgbqY60tiFK6K2n+EZ6idPs2v70zM9nFWjOScKJ7ZMuz5ki CDclhp4g+zMkqicAbXsrF2OwuknJxF/DrjwtqpiYqwnbM2n/tCnkSyH/hRaeu3TN +gfejhv/fIOM3uOlAPfKhw7lXlrvQOAtOWvJE65JN54Zrpx8je55JgxBR2qCTyD9 IUvlBxnPiuLQfHSVvXdLhJmzOsytJaIocuccrqMeI9cLCnqoX4Bb8465eHuF8QHV TKeFXRYeGbDEDRC8vXIv =RnRZ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future plans for implementation of other algorithms
On 01/25/2011 07:59 PM, Joseph Ziff wrote: Just out of curiosity (this might be the wrong mailing list for this so I apologize in advance if that is the case), are there any plans for implementing any other encryption/signing algorithms in GPG and if so what are they? I think it's really the OpenPGP specs that drive the algorithms included in gnupg. There's no point in adding something if other OpenPGP implementations don't understand it. Right now there's a draft RFC to include Elliptic Curve Cryptography in OpenPGP, but it hasn't been finalized yet. That's probably the next big algo. Just this week on gnupg-devel, Werner announced a git branch containing an implementation of Elliptic Curve Cryptography for 2.1. Even after that code hits the gnupg mainline and the RFC gets approved, it might be a while before you can reliably assume people can handle ECC, given the number of people and distros that still default to 1.4. (Not that I'm saying there's anything wrong with using 1.4; I just doubt ECC will be back-ported.) signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH authentication using OpenPGP 2.0 smartcard
On Tue, Jan 25, 2011 at 12:16:02PM -0500, Grant Olson wrote: Did you create an authentication key? You might only have signing and encryption keys. You need a third key for authentication. (A quick look at pool.keyservers.net doesn't show an auth subkey.) Yes, I've got authentication key: $ ssh-add -l 1024 5d:20:6f:a5:ce:1e:a9:7c:04:57:89:5c:39:d9:93:52 cardno:0005009E (RSA) $ ssh-add -L ssh-rsa B3NzaC1yc2EDAQABgQCiJsvSMy8riHYtEAp2rzXuKojMLYV17lmONjQQFX0iyn7Lvj+vX7fbDZTQFXFVIsoJ+xodg7wnnEZ6yRC6jKWDlxXTz33j58Lsb1IhrAvE6W6J2xlp1Vy9NG2QxLB/ua8Sjsd5pkW9O/iq/WqTCe+aANCwJZaEmJSjxA5qQzsCUQ== cardno:0005009E $ /usr/local/bin/gpg2 --card-status Application ID ...: D276000124010205009E Version ..: 2.0 Manufacturer .: ZeitControl Serial number : 009E Name of cardholder: Patryk Cisek Language prefs ...: en Sex ..: male URL of public key : [not set] Login data ...: patryk Signature PIN : forced Key attributes ...: 1024R 1024R 1024R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 177 Signature key : FDB4 BB34 728E 9F2B 5FD1 4087 0086 2F45 F39C 318F created : 2010-05-09 15:36:43 Encryption key: 153C C0D0 F94A 4F81 94CC 4B58 811F 4C7E FA9A 8135 created : 2010-05-03 09:19:49 Authentication key: B264 C524 FDF1 4F3F AD35 7952 2867 6067 9789 6319 created : 2010-05-03 09:20:13 General key info..: pub 1024R/F39C318F 2010-05-09 Patryk Cisek pat...@prezu.one.pl sec# 1024D/D86A66BA created: 2004-06-14 expires: never ssb 1024R/F39C318F created: 2010-05-09 expires: 2011-05-09 card-no: 0005 009E ssb# 1024g/482F585B created: 2004-06-14 expires: never Have you got any idea what might have been wrong with it? My card reader is a CCID device, should be no problem with it: $ lsusb Bus 002 Device 003: ID 076b:3021 OmniKey AG CardMan 3121 ... signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH authentication using OpenPGP 2.0 smartcard
On Tue, Jan 25, 2011 at 08:39:28PM +0100, Werner Koch wrote: Actually, I also needed to run 'gpgkey2ssh 0xDEADBEEF ~/.ssh/authorized_keys so I could ssh into the box as well. You should use ssh-add -L which gives you the public key. The comment field has the card number. Also this is the one I used as a source for ~/.ssh/authorized_keys entry Are there any restrictions regarding the hey itself? My key is 1024-bit. Digest preference for signing (SHA512 as most proffered) shouldn't be an issue either, since I can sign (as I sign this email) without any problem. If anyone has any ideas what might have been wrong, please comment. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
