Using GPG's authentication key for SSH access

By default, GnuPG --gen-key creates a primary key for signature and its subkey for decryption. It is also possible to add another subkey for authentication.

It is not widely used, but, the authentication subkey can be used for SSH, and this is really convenient.

Obvious benefit is to enable consolidation of important secrets into GnuPG. We won't need to keep SSH private keys under ~/.ssh/ anymore, and it would be possible to just care about GnuPG for secrets for public key cryptography. Well, it will be still needed to care about handling of shared secrets, such as WiFi SSIDs, but this one itself would be great improvement.

Here, I explain another benefit. That is, we can take advantage of GnuPG's WoT.

Case: Enable access to your server for a friend

Suppose you have a server, and you want to enable its SSH access to your friend.

Standard practice would be asking his SSH key by email, possibly singed by his GPG (primary) key to check if the key really belongs to him.

When he uses GnuPG for his SSH key, you don't need to ask him, provided you already have his key in your GnuPG keyring as valid.

Sounds great?

Concrete Example

Let's see my example. I have a server, and I am about to setup an account for my friend,

At first, I do check his key in my keyring:

$ gpg --edit-key
pub  4096R/9C0C1404  created: 2009-09-11  expires: never       usage: SC
                     trust: XXXXXX        validity: full
sub  2048R/861243E1  created: 2012-08-23  expires: never       usage: A
sub  4096R/07098680  created: 2009-09-11  expires: never       usage: E
[  full  ] (1). NOKUBI Takatsugu <>
[  full  ] (2)  NOKUBI Takatsugu <>
[  full  ] (3)  NOKUBI Takatsugu <>
[  full  ] (4)  NOKUBI Takatsugu <>
gpg> quit

I have his key in my keyring, and it is "full"y valid, and I confirm that his subkey 2048R/861243E1 is for authentication, by usage: A ("A" means authentication).

Now, I transform his GnuPG's subkey (public key) into OpenSSH format:

$ gpgkey2ssh 861243E1 | sed -e s/COMMENT/ > knok_key

And then I (as an administrator) do this:

# cat knok_key >> ~knok/.ssh/authorized_keys
# chown knok.knok ~knok/.ssh/authorized_keys
# chmod og-rw ~knok/.ssh/authorized_keys

That's it.


Please see another article for how to for SSH and GnuPG.