--- Werner Koch <[EMAIL PROTECTED]> wrote: > On Mon, 20 Aug 2007 14:10, [EMAIL PROTECTED] said: > > > 1. Is it possible to have only one key pair (public & secret pref. DSA) > that > > can be used for both GPG & OpenSSH? (as a sys admin of some interest in > > cryptography, this is an important question) > > Yes. However you want separate keys for separate tasks. Fortunately > OpenPGP provides just that: There is a primary key for certifying other > keys (and subkeys) and subkeys for encryption, signing and > authentication. The authentication key may be used for SSH.
Thanks for the direction there. I now have an 'authentication' subkey created. I've even extracted the SSH compatible public key from the subkey using gpgkey2ssh (which I can propagate to .ssh/authorized_keys of the remote machines). I'm stuck on unable to understand how to integrate the secret key of the above authentication subkey with gpg-agent (or ssh-agent for that matter though gpg-agent is my preferred choice now :-)). Just by observing things, I'd say I've two choices: 1. Extract the SSH compatible secret key from the authentication subkey somehow; then use ssh-add to populate .gnupg/sshcontrol & .gnupg/private-keys-v1.d/<keygrip>.key files. Naturally, I don't know how to extract an SSH compatible key from the subkey to feed it to ssh-add, so I can make no progress here. 2. Or by "other means" populate .gnupg/sshcontrol & .gnupg/private-keys-v1.d/<keygrip>.key files. I've made no progress here either for the lack of skill & knowledge. I'd appreciate if a GnuPG expert can guide me with either one of the choices above (or perhaps Smartcard's the only path suitable etc. as gpg-agent man pages imply smartcard approach is capable of handling .gnupg/sshcontrol & .gnupg/private-keys-v1.d/<keygrip>.key files 'automatically'). I also couldn't work out how to extract the keygrip id of a subkey (using gpg2 --fingerprint <subkeyid> OR gpg2 --edit-key <subkeyid> etc.). I suspect the keygrip of a subkey might be the same as the primary key it's associated with. Yes? (If yes, then the next question is how to populate .gnupg/private-keys-v1.d/<keygrip>.key with the right content :-).) Thank you. Srihari PS: Indeed with gpg-agent I've struck a gold-mine ;-). Would be nice if I can get the SSH integration using GPG subkey going somehow. I've some very useful use for these ideas. ____________________________________________________________________________________ Sick of deleting your inbox? Yahoo!7 Mail has free unlimited storage. http://au.docs.yahoo.com/mail/unlimitedstorage.html _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users