SSH Authentication with PGP Keys.

PGP keys and SSH keys can share the same RSA algorithm and for this reason, with some little tuning it is possible to use a PGP SubKey to authenticate users into SSH Servers.

This can be obtained in (at least) two methods: using GPG-Agent (easier) and using ssh-agent (more difficult). The choice depends on personal preferences.

The easiest way: As of GnuPG 2.1 the gpg-agent is used to store all the keys. For this reason it is only necessary to start gpg-agent with the –enable-ssh-support option and add the keygrip of the authentication key to the ~/.gnupg/sshcontrol file. That’s all.

If the ssh-agent method is preferred, the way is harder, but not impossible.
gpg2 and openpgp2ssh script (part of MonkeySphere suite) are needed, so let’s install it if not already done.

First of all let’s add an additional SubKey with Authentication capabilities to the PGP “Master Secure Key”.
We will use ‘expert’ editing mode in gpg since this is the only way to generate this specific kind of SubKeys.

$ gpg2 --expert --edit-key 8ED2364E

Execute the command ‘addkey’ and then select option 8 (RSA set your own capabilities), toggle Sign and Encrypt capability OFF and Authenticate capability ON, then select a long keysize (4096 bits is suggested) and specify how long the key should be valid according to personal policies.

Check the result with ‘list’ command, in the output the new SubKey should have ‘usage: A’ assigned.

pub  8192R/8ED2364E  created: 2014-09-11  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/A294D274  created: 2014-09-11  expires: never       usage: A   
[...]

If everything is correct, save and exit with ‘save’ GPG command.

Now it is time to export the key without a passphrase (this is because the openpgp2ssh script seems to be not able to handle encrypted keys)

$ gpg2 --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \
--export-secret-subkeys --no-armor \
A294D274! > A294D274.key

At this time, let’s convert the GPG-Exported key to the correct (Minimal RSA) format, interpreted by the ssh-agent.

$ openpgp2ssh A294D274 < A294D274.key > A294D274

Remove carefully and securely Private SubKeys from the temporary place where Key Dumps have been performed!
It is mandatory to remove any temporary files in the safest way from the media where all operation are made, for this reason it is suggested to use shred to overwrite the file multiple times using patterns chosen to maximize destruction of the residual data, after saving all the necessary to removable devices.

$ shred -vfzu -n 10 A294D274.key

Set Read-Write permission to File Owner only to the private key, add a PassPhrase back and and rename it.

$ chmod 600 A294D274
$ ssh-keygen -f A294D274 -p
$ mv 43F35C05 A294D274_id_rsa

The Private RSA Key that will be added to the ssh-agent is now ready!


And now the simple part: generate the Public Key that will be distributed into servers and placed in ~/.ssh/authorized_keys file.

$ gpgkey2ssh A294D274 > A294D274_id_rsa.pub

Manually edit A294D274_id_rsa.pub to remove the generic ‘COMMENT’ and add personal identity (eMail Address) and Key ID is strongly recommended.

By distributing A294D274_id_rsa.pub in remote SSH Servers and adding A294D274_id_rsa to the local SSH Agent we will be able now to Log-In using our PGP Key in RSA Key Authentication.


Comments are closed.