Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

2020-06-25 Thread Daniel Haid 

> I've successfully set it up, now whenever I restart gpg-agent (e.g. on
> reboot), it will ask for the passphrase twice, once for the GPG keys,
> once for the SSH keys, even though they are the same passphrases.

I need a solution for this same problem.

> You may now wonder why this does not happen when you decrypt a mail,
> reply to it and sign the reply. [...] gpg-agent knows about it and
> tries the last passphrase used for any of the the subkeys of a key.

However, even if the primary key has capabilities [SCA] and one
subkey has capability [E], if I use the subkey for encryption
first and then try to use the primary key for SSH I am asked
for the passphrase again. Is this expected?

> No, there is no way to configure an extra hack to also test a
> passphrase for an ssh key.

Do you not think this could be useful? Gnupg uses the same passphrase
for the primary key and all subkeys by default, so this should be
a common setup?

> I thought of one way, but really is a hack and it's predicated on the
> standard key access being invoked first.  If SSH always comes first
> then it won't work.

Could you tell me what your hack is?

My current solution is use one primary key with [SCA] capabilities
and one [E] subkey. In my scripts, instead of
   gpg --decrypt [...] && ssh [...]
I now use
   gpg -s /dev/null && gpg --decrypt [...] && ssh [...]
which asks for my passphrase once for signing and then uses it
for decrypting and for ssh.

Do you know any clean way to do this?

Note that I only need this for scripts that do multiple things
simultaneously, so I *can* run arbitrary commands first.

It would be perfectly fine for me to send something like
   "ask for only one passphrase and try to unlock KEYGRIP1
   and KEYGRIP2 with it"
to the agent. (Or, even better
   "if the passphrase for KEYGRIP1 or KEYGRIP2 is cached,
   try to unlock the other one with that. Otherwise ask for
   one passphrase and unlock both".)
Is such a thing possible?

Regards,
DH

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

2018-03-01 Thread Werner Koch 
On Wed, 28 Feb 2018 15:02, w...@gnupg.org said:

> Oh no, I don't want to promote create solutions of our complex API ;-)

s/create/creative/



-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpGzDg0TYmpd.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

2018-03-01 Thread Ben McGinnes 
On Wed, Feb 28, 2018 at 03:02:58PM +0100, Werner Koch wrote:
> On Wed, 21 Feb 2018 07:27, b...@adversary.org said:
> 
> >> No, there is no way to configure an extra hack to also test a passphrase
> >> for an ssh key.
> >
> > Wanna bet?
> 
> Oh no, I don't want to promote create solutions of our complex API ;-)

Heheh.

I have a friend who frequently used to say that if a question began
with "Would it be wrong to ..." then the answer was always "No."

I think it was about the point where I asked, "Would it be wrong to
release freshwater crocodiles just a little upstream of [local picnic
area where children feed ducks and geese] just in time for the summer
holidays?" that he gave up.


Regards,
Ben


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

2018-02-28 Thread Werner Koch 
On Wed, 21 Feb 2018 07:27, b...@adversary.org said:

>> No, there is no way to configure an extra hack to also test a passphrase
>> for an ssh key.
>
> Wanna bet?

Oh no, I don't want to promote create solutions of our complex API ;-)


Shalom-Salam,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpVkKk4I36Jd.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

2018-02-20 Thread Ben McGinnes 
On Tue, Feb 13, 2018 at 04:55:19PM +0100, Werner Koch wrote:
> On Tue, 13 Feb 2018 15:03, ambre...@gmail.com said:
> 
> > Thanks for the detailed answer.  But why not doing it for SSH then?
> 
> I like to see when an ssh key is used the first time.  Note that the
> maximum caching time for ssh keys can be configured independent from the
> caching time of other keys.

Probably wise.

> > Just because it's less common?  Would there be any way to configure this?
> 
> No, there is no way to configure an extra hack to also test a passphrase
> for an ssh key.

Wanna bet?

I thought of one way, but really is a hack and it's predicated on the
standard key access being invoked first.  If SSH always comes first
then it won't work.


Regards,
Ben


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

2018-02-13 Thread Werner Koch 
On Tue, 13 Feb 2018 15:03, ambre...@gmail.com said:

> Thanks for the detailed answer.  But why not doing it for SSH then?

I like to see when an ssh key is used the first time.  Note that the
maximum caching time for ssh keys can be configured independent from the
caching time of other keys.

> Just because it's less common?  Would there be any way to configure this?

No, there is no way to configure an extra hack to also test a passphrase
for an ssh key.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpqfBu0RjFgu.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

2018-02-13 Thread Pierre Neidhardt 

Werner Koch  writes:

> You may now wonder why this does not happen when you decrypt a mail,
> reply to it and sign the reply.  Two subkeys (or the primary and the
> encryption subkey) are involved in this workflow.  Because this is so
> common, gpg-agent knows about it and tries the last passphrase used for
> any of the the subkeys of a key.  It does not do this for an
> authentication subkey, though.  Thus you have to enter it again for ssh.

Thanks for the detailed answer.  But why not doing it for SSH then?
Just because it's less common?  Would there be any way to configure this?

-- 
Pierre Neidhardt

War spares not the brave, but the cowardly.
-- Anacreon


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

2018-02-13 Thread Werner Koch 
On Fri,  9 Feb 2018 14:25, ambre...@gmail.com said:

> this time the SSH key is obviously encrypted with the same passphrase as
> my GPG key, since it's part of it.  Any clue why gpg-agent keeps asking?

gpg (or correct gpg-agent) can't know which passphrase is used for each
key or subkey.  Passphrases are cached on a per subkey base and thus you
will see a passphrase query for each new subkey.

You may now wonder why this does not happen when you decrypt a mail,
reply to it and sign the reply.  Two subkeys (or the primary and the
encryption subkey) are involved in this workflow.  Because this is so
common, gpg-agent knows about it and tries the last passphrase used for
any of the the subkeys of a key.  It does not do this for an
authentication subkey, though.  Thus you have to enter it again for ssh.

Note that we can't do trial decryption using several remembered
passphrases because that would take noticeably long for the user.  For
security reasons each passphrase decryption takes about 100ms.


Shalom-Salam,

   Werner
 
-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp1kKEb4AY2L.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

2018-02-09 Thread Pierre Neidhardt 

I use gpg-agent as my SSH agent.

I've successfully set it up, now whenever I restart gpg-agent (e.g. on
reboot), it will ask for the passphrase twice, once for the GPG keys,
once for the SSH keys, even though they are the same passphrases.

First setup: I called ssh-add to add existing SSH keys to GPG.
gpg-agent asked for a passphrase to encrypt the keys, so I presume the
passphrase must be different from the one I use for my GPG keys.  Isn't
it possible to tell GPG to "store the keys together" or to encrypt with
my GPG key?

Second setup: I created an authentication subkey which I use as an SSH
key. It works, but again, gpg-agent asks for my passphrase twice, while
this time the SSH key is obviously encrypted with the same passphrase as
my GPG key, since it's part of it.  Any clue why gpg-agent keeps asking?

-- 
Pierre Neidhardt

The universe is made of stories, not of atoms.
-- Muriel Rukeyser


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users