By default, GnuPG --gen-key creates a primary key for signature and its subkey for decryption. It is also possible to add another subkey for authentication.
It is not widely used, but, the authentication subkey can be used for SSH, and this is really convenient.
Obvious benefit is to enable consolidation of important secrets into GnuPG. We won't need to keep SSH private keys under ~/.ssh/ anymore, and it would be possible to just care about GnuPG for secrets for public key cryptography. Well, it will be still needed to care about handling of shared secrets, such as WiFi SSIDs, but this one itself would be great improvement.
Here, I explain another benefit. That is, we can take advantage of GnuPG's WoT.
Case: Enable access to your server for a friend
Suppose you have a server, and you want to enable its SSH access to your friend.
Standard practice would be asking his SSH key by email, possibly singed by his GPG (primary) key to check if the key really belongs to him.
When he uses GnuPG for his SSH key, you don't need to ask him, provided you already have his key in your GnuPG keyring as valid.
Let's see my example. I have a server, and I am about to setup an account for my friend, email@example.com.
At first, I do check his key in my keyring:
$ gpg --edit-key firstname.lastname@example.org pub 4096R/9C0C1404 created: 2009-09-11 expires: never usage: SC trust: XXXXXX validity: full sub 2048R/861243E1 created: 2012-08-23 expires: never usage: A sub 4096R/07098680 created: 2009-09-11 expires: never usage: E [ full ] (1). NOKUBI Takatsugu <email@example.com> [ full ] (2) NOKUBI Takatsugu <firstname.lastname@example.org> [ full ] (3) NOKUBI Takatsugu <email@example.com> [ full ] (4) NOKUBI Takatsugu <firstname.lastname@example.org> gpg> quit $
I have his key in my keyring, and it is "full"y valid, and I confirm that his subkey 2048R/861243E1 is for authentication, by usage: A ("A" means authentication).
Now, I transform his GnuPG's subkey (public key) into OpenSSH format:
$ gpgkey2ssh 861243E1 | sed -e s/COMMENTemail@example.com/ > knok_key
And then I (as an administrator) do this:
# cat knok_key >> ~knok/.ssh/authorized_keys # chown knok.knok ~knok/.ssh/authorized_keys # chmod og-rw ~knok/.ssh/authorized_keys
Please see another article for how to for SSH and GnuPG.