Re: Identifying one of multiple authentication subkeys

[Peter Lebbing]

Hi,

On 16/03/2019 14:22, Dirk Gottschalk wrote:
> In the output from --export-ssh-key is also a comment field. This
> fieldd, in my case shows: openpgp:0xF852DAEE

Yes, but it is only added by the --export-ssh-key command and has a
fixed form. Instead, for my keys, which by the way are not part of an
OpenPGP certificate and therefore can't be used with --export-ssh-key,
they are stored with the private key. The comment got there because they
were originally OpenSSH keys with that comment, and the comment got
retained on import into the agent. I could have put any comment
whatsoever in it and it would have been stored by the agent and shown on
any invocation of ssh-add -{l,L}.

--8<---cut here---start->8---
$ ssh-add -l
[...]
256 SHA256:xb01Ehdlix7o5oLN0YUEkhr70yZDXXCNXcMoNS48PB0 Just a comment (ED25519)
--8<---cut here---end--->8---

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Identifying one of multiple authentication subkeys

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Samstag, den 16.03.2019, 11:11 +0100 schrieb Peter Lebbing:
> (By the way, as you can see in the ssh-keygen output, my key actually
> has a comment field in the gpg-agent. It was imported from an on-disk
> OpenSSH file, that's where it came from. I don't know a way to have a
> comment field for a key generated with gpg, although I could probably
> hack it in in the private key store. Let's not do that.)

In the output from --export-ssh-key is also a comment field. This
fieldd, in my case shows: openpgp:0xF852DAEE

This should be enough to identify the key. It is the short ID of the
referred authentication subkey.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: 4AAB BDA8 C34D 3037 DA6B  7DF9 BB6A A254 DF10 8952
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Identifying one of multiple authentication subkeys

[Peter Lebbing]

On 16/03/2019 11:11, Wolfgang Traylor wrote:
> $ gpg2 --export-ssh-key 

Actually, if you want a specific subkey, you need to append a ! to the
key ID (probably need to quote it as well for the shell, \! ).
Otherwise, GnuPG will use key selection rules to take the latest
authentication subkey from the certificate selected.

It's a fine and simple method. The advantage of my method is it will
also work with keys that aren't part of an OpenPGP key :-). Plus it's
more fun.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Identifying one of multiple authentication subkeys

[Peter Lebbing]

Hi Brian,

On 15/03/2019 23:28, Brian Exelbierd wrote:> Hi,
> Either way, I am unsure how to identify which subkey is which SSH key.

Provided the auth keys are in your .gnupg/sshcontrol file, the following
will help:

--8<---cut here---start->8---
$ ssh-add -L | head -1 >firstkey

$ ssh-keygen -l -E md5 -f firstkey 
2048 MD5:69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96 
/home/peter/.ssh/id_rsa (RSA)

$ gpg-connect-agent 
> help keyinfo
# KEYINFO [--[ssh-]list] [--data] [--ssh-fpr] [--with-ssh] 
# 
# Return information about the key specified by the KEYGRIP.  If the
# key is not available GPG_ERR_NOT_FOUND is returned.  If the option
# --list is given the keygrip is ignored and information about all
# available keys are returned.  If --ssh-list is given information
# about all keys listed in the sshcontrol are returned.  With --with-ssh
# information from sshcontrol is always added to the info. Unless --data
# is given, the information is returned as a status line using the format:
# 
#   KEYINFO   
# 
# KEYGRIP is the keygrip.
# 
# TYPE is describes the type of the key:
# 'D' - Regular key stored on disk,
# 'T' - Key is stored on a smartcard (token),
# 'X' - Unknown type,
# '-' - Key is missing.
# 
# SERIALNO is an ASCII string with the serial number of the
#  smartcard.  If the serial number is not known a single
#  dash '-' is used instead.
# 
# IDSTR is the IDSTR used to distinguish keys on a smartcard.  If it
#   is not known a dash is used instead.
# 
# CACHED is 1 if the passphrase for the key was found in the key cache.
#If not, a '-' is used instead.
# 
# PROTECTION describes the key protection type:
# 'P' - The key is protected with a passphrase,
# 'C' - The key is not protected,
# '-' - Unknown protection.
# 
# FPR returns the formatted ssh-style fingerprint of the key.  It is only
# printed if the option --ssh-fpr has been used.  It defaults to '-'.
# 
# TTL is the TTL in seconds for that key or '-' if n/a.
# 
# FLAGS is a word consisting of one-letter flags:
#   'D' - The key has been disabled,
#   'S' - The key is listed in sshcontrol (requires --with-ssh),
#   'c' - Use of the key needs to be confirmed,
#   '-' - No flags given.
# 
# More information may be added in the future.
OK
> keyinfo --ssh-list --ssh-fpr
S KEYINFO ECBEA361DD2230F79F086E3CAE198EB94A0CE6CF D - - - P 
69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96 - S
S KEYINFO 64711FCE432F5387CCDD5E466513387B63096989 D - - - P 
c1:34:c6:23:f7:d5:64:fb:49:7a:d3:53:db:d1:87:64 - S
OK
> 
--8<---cut here---end--->8---

ssh-add was used to export the first key in the agent to a file.
ssh-keygen can produce an MD5 fingerprint for that file for you.

You can match the MD5 fingerprint to the 7th field of KEYINFO. Then the
1st field will give you the keygrip of that SSH key.

If your auth keys are for some reason not in sshcontrol, you could use

--8<---cut here---start->8---
$ gpg-connect-agent 'KEYINFO --list --ssh-fpr' /bye | fgrep 
69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96
S KEYINFO ECBEA361DD2230F79F086E3CAE198EB94A0CE6CF D - - - P 
69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96 - -
--8<---cut here---end--->8---

because it wouldn't be much fun wading through all your keys if you have
a lot of key material, and that command without the grep will list it all.

(By the way, as you can see in the ssh-keygen output, my key actually
has a comment field in the gpg-agent. It was imported from an on-disk
OpenSSH file, that's where it came from. I don't know a way to have a
comment field for a key generated with gpg, although I could probably
hack it in in the private key store. Let's not do that.)

HTH,

Peter.

PS: I see no reason why you shouldn't have multiple auth subkeys, unlike
John Doe.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Identifying one of multiple authentication subkeys

[Wolfgang Traylor]

> I am unsure how to identify which subkey is which SSH key.
You can export your GPG subkey for SSH and compare with the `ssh-add -L` output:

$ gpg2 --export-ssh-key 

This gives you the SSH-formatted subkey which will match one of your lines from 
`ssh-add -L`.
Note that the comments (anything after the first whitespace in each line) might 
be different. So compare only up to the first whitespace.

Best regards,
W. Traylor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Identifying one of multiple authentication subkeys

[john doe]

On 3/15/2019 11:28 PM, Brian Exelbierd wrote:
> Hi,
>
> I would like to eliminate my SSH keys and consolidate my existing keys into 
> my gpg key.  I can do this by either importing my existing keys (easier) or 
> creating new authentication subkeys.
>
> Either way, I am unsure how to identify which subkey is which SSH key.  I 
> created a test key, below, with two authentication subkeys.  I can't tell 
> which subkey matches each key.  How do you know?  Without this knowledge it 
> is hard to know which key goes with which server and which key is safe to 
> delete later.
>
> Any advice?  Thank you.
>
> regards,
>
> bex
>
> ---
>
> # gpg2 -K --with-keygrip
> /root/.gnupg/pubring.kbx
> 
> sec   rsa2048 2019-03-15 [SC] [expires: 2021-03-14]
>   84B9177ECD98386DACDA102DF80B5DDF8D55076A
>   Keygrip = 13C8D80A6B3A5A7CC4095A254A07AFC9F287CF16
> uid   [ultimate] keyname
> ssb   rsa2048 2019-03-15 [E] [expires: 2021-03-14]
>   Keygrip = 26FD3D7D54BEE12111354B9E968C23EEDC445A4E
> ssb   rsa2048 2019-03-15 [A]
>   Keygrip = A04EA628443B5C1C60411C15E1EC35C21186D405
> ssb   rsa2048 2019-03-15 [A]
>   Keygrip = 45F02D545B6B6ADC32FCB7BC64B943F23B35D3FF
>
> # ssh-add -l
> 2048 SHA256:T/SZUtqVEzoo4c4rmh5e4jrnCd5ewGNj1Nrsg3VYbCE (none) (RSA)
> 2048 SHA256:+Qbn7T5rQms4+bBfzc7D68H2TynS/8gyT0pjrMOaiQA (none) (RSA)
>
> # ssh-add -L
> ssh-rsa 
> B3NzaC1yc2EDAQABAAABAQC8vnk7hPdP9tWdw8DUV8rOYDTAlhbvSWPuEUwr0FdaveJoJtgYhceKVoyFnOYZnZ8QP0nAytHGeSAHkL/9Vw0Whyouu94awwoEERdkIzvl/KVRU3n0dBabbjbqlY6Dz+4zjIUo/KbyZ9PZHohCVQs/DzFUqnLsPoHzVVDBPvMHFkf0t2qSe0Pv2I7vLmI1UVBFMspjy80kmoijheFAmXebCGC3uzr23BKqzqfj2/HYv/DJAQufGiHsH+/I855U8Dckd4TQmHS4aRsIY0px1HA4of9nIiWWifvqxwshax2VSdJucJi1RB6YbSxbTIbjnl0YJbbIajV8xJjyloaOofph
>  (none)
> ssh-rsa 
> B3NzaC1yc2EDAQABAAABAQCnrIe/fe6i6AMA+evGzz3Gc56rSH5D3cJ9R/cMta2jHjtNlZZD/uJNdbuALsI4elB5m0Yxsbiz0j3UG2L/2nHfjD73oPQkwFIacvtkZT/hpp/BWPFDWQnGaWeWdFfsxlzu6gOMsfYJQDxNIPRjLbYkcIOL3Xw5EIFlS2xEr+/ZGsD2uNnReXj5XZnXh6FrxcX7vhnKpHHsVzDZG+xRs+xhErhiini8J1REZaQzZnVftD/WZGbAU8f3LSDfSCFQVxRTibXW5JMd6JfFe1zZXST+JfAEqg5LhucpzsQAbYWtNiqZ5McerI1HYPjYNUqoYhGzXsWvEuvPp3qugVjH3ZI5
>  (none)
>

My understanding is that one subkey is to be used for authentication .

--
John Doe

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users