NAME
openpgp2ssh - translate OpenPGP keys to SSH keys
SYNOPSIS
openpgp2ssh < mykey.gpg
gpg --export $KEYID | openpgp2ssh $KEYID
gpg --export-secret-key $KEYID | openpgp2ssh $KEYID
DESCRIPTION
openpgp2ssh takes an OpenPGP-formatted primary key and associated subkeys
on standard input, and spits out the requested equivalent SSH-style key
on standard output.
If the data on standard input contains no subkeys, you can invoke
openpgp2ssh without arguments. If the data on standard input contains
multiple keys (e.g. a primary key and associated subkeys), you must
specify a specific OpenPGP key identifier as the first argument to
indicate which key to export. The key ID is normally the 40 hex digit
OpenPGP fingerprint of the key or subkey desired, but openpgp2ssh will
accept as few as the last 8 digits of the fingerprint as a key ID.
If the input contains an OpenPGP RSA public key, it will be converted to
the OpenSSH-style single-line keystring, prefixed with the key type
(‘ssh-rsa’). This format is suitable (with minor alterations) for
insertion into known_hosts files and authorized_keys files.
If the input contains an OpenPGP RSA secret key, it will be converted to
the equivalent PEM-encoded private key.
openpgp2ssh is part of the monkeysphere(7) framework for providing a PKI
for SSH.
CAVEATS
The keys produced by this process are stripped of all identifying
information, including certifications, self-signatures, etc. This is
intentional, since ssh attaches no inherent significance to these
features.
openpgp2ssh will produce output for any requested RSA key. This means,
among other things, that it will happily export revoked keys,
unverifiable keys, expired keys, etc. Make sure you do your own key
validation before using this tool!
EXAMPLES
gpg --export-secret-key $KEYID | openpgp2ssh $KEYID | ssh-add -c
/dev/stdin
This pushes the secret key into the active ssh-agent(1). Tools such as
ssh(1) which know how to talk to the ssh-agent(1) can now rely on the
key.
AUTHOR
openpgp2ssh and this man page were written by Daniel Kahn Gillmor
<dkg@fifthhorseman.net>.
BUGS
openpgp2ssh only works with RSA keys. DSA keys are the only other key
type available in both OpenPGP and SSH, but they are currently
unsupported by this utility.
openpgp2ssh only accepts raw OpenPGP packets on standard input. It does
not accept ASCII-armored input. openpgp2ssh Currently only exports into
formats used by the OpenSSH. It should support other key output formats,
such as those used by lsh(1) and putty(1).
Secret key output is currently not passphrase-protected.
openpgp2ssh currently cannot handle passphrase-protected secret keys on
input.
SEE ALSO
pem2openpgp(1), monkeysphere(1), monkeysphere(7), ssh(1),
monkeysphere-authentication(8), monkeysphere-host(8)