On 12/21/2015 09:28 AM, perillamint wrote:
> I'm having trouble setting up ssh auth using Ed25519 key.
When you configure your gpg-agent properly (for your key), you can use
the SSH tool of ssh-add with option -L to show your public key in SSH
format.
Thank you for using new feature. I know that gpgkey2ssh is still
useful in some cases, but I think that you don't need it because we
can use 'ssh-add -L'.
Here is an example session to configure GnuPG for Ed25519 key. In
this example, I'm adding an authentication subkey for me. Here we go.
I invoke gpg 2.1.x with --edit-key option specifying my name.
An option of --expert is required for Ed25519 key, since it's
not yet in the OpenPGP standard.
$ gpg2 --expert --edit-key gniibe
gpg (GnuPG) 2.1.10; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa2048/4CA7BABE
created: 2010-10-15 expires: never usage: SC
card-no: F517 0001
trust: ultimate validity: ultimate
ssb rsa2048/084239CF
created: 2010-10-15 expires: never usage: E
card-no: F517 0001
ssb rsa2048/5BB065DC
created: 2010-10-22 expires: never usage: A
card-no: F517 0001
[ultimate] (1). NIIBE Yutaka
[ultimate] (2) NIIBE Yutaka
These are my keys (on smartcard, in this case). I'm adding a subkey
of Ed25519 by the subcommand of "addkey".
gpg> addkey
Secret parts of primary key are stored on-card.
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 11
I select "(11) ECC (set your own capabilities)" for authentication
key. Then, put the capability of "Authenticate"...
Possible actions for a ECDSA key: Sign Authenticate
Current allowed actions: Sign
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Removed "Sign" capability, by typing "s" and RETURN.
Possible actions for a ECDSA key: Sign Authenticate
Current allowed actions:
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? a
Added "Authenticate" capability, by typing "a" and RETURN.
Possible actions for a ECDSA key: Sign Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
Done (by typing "q" and RETURN). Then, selection of the Curve...
Please select which elliptic curve you want:
(1) Curve 25519
(2) NIST P-256
(3) NIST P-384
(4) NIST P-521
(5) Brainpool P-256
(6) Brainpool P-384
(7) Brainpool P-512
Your selection? 1
I selected "(1) Curve 25519" by typing "1" and RETURN. The name would
be confusing, but this is the curve for Ed25519.
gpg: WARNING: Curve25519 is not yet part of the OpenPGP standard.
Use this curve anyway? (y/N) y
Yup, we know. Confirmed by typing "y" and RETURN.
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
Answered "y", more times. Then, I was asked for passphrase (two
times, not shown). I inputted it by pinentry.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa2048/4CA7BABE
created: 2010-10-15 expires: never usage: SC
card-no: F517 0001
trust: ultimate validity: ultimate
ssb rsa2048/084239CF
created: 2010-10-15 expires: never usage: E
card-no: F517 0001
ssb rsa2048/5BB065DC
created: 2010-10-22 expires: never usage: A
card-no: F517 0001
ssb ed25519/9E350F4D
created: 2015-12-21 expires: never usage: A
[ultimate] (1). NIIBE Yutaka
[ultimate] (2) NIIBE Yutaka
OK, I have the subkey of ed25519/9E350F4D. Good.
gpg> save
Saved. We need the keygrip of this subkey to