Re: Cannot export SSH public key
Thanks, Ingo! Looking at my log, I realize that I indeed uploaded the primary key when I did `keytocard`. I did not do `key 2` to select the authentication sub key. Instead I was assuming that GnuPG does automatically select the right sub key. There was a warning about moving the primary key, which I ignored. Today I fixed that, and now all works consistently: $ gpg --card-status […] Signature key : 7A0F E73D DB74 4F0F 9734 1DA7 1BE3 49D1 1B6E D589 created : 2023-06-29 03:50:43 Encryption key: DBBD 3239 D0F1 4326 808D FC8F 7CC0 2D68 D2E3 1736 created : 2023-06-29 03:50:43 Authentication key: 9DFF AD98 566A 604F 7290 7C24 32B1 06F6 877C C64B created : 2023-11-22 15:14:14 General key info..: pub rsa4096/1BE349D11B6ED589 2023-06-29 Felix E. Klee (YubiKey) sec> rsa4096/1BE349D11B6ED589 created: 2023-06-29 expires: never card-no: 0006 18698015 ssb> rsa4096/7CC02D68D2E31736 created: 2023-06-29 expires: never card-no: 0006 18698015 ssb> rsa4096/32B106F6877CC64B created: 2023-11-22 expires: never card-no: 0006 18698015 $ gpg --export-ssh-key yubikey ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2 Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4 ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== openpgp:0x877CC64B $ ssh-add -L ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2 Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4 ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== cardno:18 698 015 ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2 Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4 ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== (none) Weird only is that `ssh-add -L` outputs the key twice. Logging in via SSH with the authentication sub key now works as expected, all smooth. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Cannot export SSH public key
Thanks for pointing out that the signature key and the authentication keys are identical: $ gpg --card-status […] Signature key : 7A0F E73D DB74 4F0F 9734 1DA7 1BE3 49D1 1B6E D589 created : 2023-06-29 03:50:43 Encryption key: DBBD 3239 D0F1 4326 808D FC8F 7CC0 2D68 D2E3 1736 created : 2023-06-29 03:50:43 Authentication key: 7A0F E73D DB74 4F0F 9734 1DA7 1BE3 49D1 1B6E D589 created : 2023-06-29 03:50:43 […] sec> rsa4096/1BE349D11B6ED589 created: 2023-06-29 expires: never card-no: 0006 18698015 ssb> rsa4096/7CC02D68D2E31736 created: 2023-06-29 expires: never card-no: 0006 18698015 ssb# rsa4096/32B106F6877CC64B created: 2023-11-22 expires: never At the same time, the key IDs are different: $ gpg --list-keys --keyid-format LONG yubi...@f76.eu pub rsa4096/1BE349D11B6ED589 2023-06-29 [SC] 7A0FE73DDB744F0F97341DA71BE349D11B6ED589 uid [ultimate] Felix E. Klee (YubiKey) sub rsa4096/7CC02D68D2E31736 2023-06-29 [E] sub rsa4096/32B106F6877CC64B 2023-11-22 [A] How does that go together? I thought the long key ID is the last 16 characters of the fingerprint. And the fingerprint is a 40 character hash of the public (or private?) key. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Cannot export SSH public key
On Tue, Nov 21, 2023 at 12:38 AM Ingo Klöcker wrote: > $ gpg --export-ssh-key 1B6ED589 Thanks, this worked! I then added the key on the remote system to: ~/.ssh/authorized_keys However, I could not log in. SSH reports: Permission denied (publickey). I then tried exporting the key using `ssh-add`: ssh-add -L >~/.ssh/id_rsa.pub If I add this key to `authorized_keys`, I can log in, after unlocking my Yubikey with a PIN. Great! Or not, read on. Now it gets a bit weird: Apparently the key exported by `ssh-add` is not tied to my authentication key! I noticed this because I replaced the authentication key. They key exported by `ssh-add` did not change. I can still log in using that key. So I assume that key is based on the my signature key `1B6ED589`: $ gpg --list-keys --keyid-format SHORT yubi...@f76.eu pub rsa4096/1B6ED589 2023-06-29 [SC] 7A0FE73DDB744F0F97341DA71BE349D11B6ED589 uid [ultimate] Felix E. Klee (YubiKey) sub rsa4096/D2E31736 2023-06-29 [E] sub rsa4096/877CC64B 2023-11-22 [A] Should I better use the authentication key exported by GPG for SSH? But how to make that work? ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users