summaryrefslogtreecommitdiff
path: root/man/man1
diff options
context:
space:
mode:
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>2008-06-12 17:25:55 -0400
committerDaniel Kahn Gillmor <dkg@fifthhorseman.net>2008-06-12 17:25:55 -0400
commit6f2d6f78cd11231d6f7ffd6361812b1bd49a4c34 (patch)
treef8fe87d2f17bc56ca464355cc9b11899b384a95a /man/man1
parent00719770b7608af0c37dfd6c14a04eb7ebc4cad0 (diff)
Major openpgp2ssh overhaul. It's an unforgiving and brittle tool, but
it should do what we expect it to do, and its major limitations should be documented in the man page.
Diffstat (limited to 'man/man1')
-rw-r--r--man/man1/openpgp2ssh.147
1 files changed, 31 insertions, 16 deletions
diff --git a/man/man1/openpgp2ssh.1 b/man/man1/openpgp2ssh.1
index 6267141..1a02b38 100644
--- a/man/man1/openpgp2ssh.1
+++ b/man/man1/openpgp2ssh.1
@@ -12,16 +12,16 @@ openpgp2ssh
.Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID
.Sh DESCRIPTION
-openpgp2ssh takes OpenPGP-formatted RSA and DSA keys on standard
-input, and spits out the requested equivalent SSH-style key on
-standard output.
+openpgp2ssh takes an OpenPGP-formatted primary key and associated
+subkeys on standard input, and spits out the requested equivalent
+SSH-style key on standard output.
-If the data on standard input contains only a single key, you can
-invoke openpgp2ssh without arguments. If the data on standard input
-contains multiple keys (e.g. a primary key and associated subkeys),
-you must specify a specific OpenPGP keyid (e.g. CCD2ED94D21739E9) or
+If the data on standard input contains no subkeys, you can invoke
+openpgp2ssh without arguments. If the data on standard input contains
+multiple keys (e.g. a primary key and associated subkeys), you must
+specify a specific OpenPGP keyid (e.g. CCD2ED94D21739E9) or
fingerprint as the first argument to indicate which key to export.
-The keyid must be at least 8 hex characters.
+The keyid must be exactly 16 hex characters.
If the input contains an OpenPGP RSA or DSA public key, it will be
converted to the OpenSSH-style single-line keystring, prefixed with
@@ -31,20 +31,29 @@ insertion into known_hosts files and authorized_keys files.
If the input contains an OpenPGP RSA or DSA secret key, it will be
converted to the equivalent PEM-encoded private key.
-Note that the keys produced by this process are stripped of all
-identifying information, including certifications, self-signatures,
-etc.
-
openpgp2ssh is part of the
.Xr monkeysphere 1
framework for providing a PKI for SSH.
+.Sh CAVEATS
+The keys produced by this process are stripped of all identifying
+information, including certifications, self-signatures, etc. This is
+intentional, since ssh attaches no inherent significance to these
+features.
+
+openpgp2ssh only works with RSA or DSA keys, because those are the
+only ones which work with ssh.
+
+Assuming a valid key type, though, openpgp2ssh will produce output for
+any requested key. This means, among other things, that it will
+happily export revoked keys, unverifiable keys, expired keys, etc.
+Make sure you do your own key validation before using this tool!
.Sh EXAMPLES
.Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin
This pushes the secret key into the active
.Xr ssh-agent 1 .
-Tools (such as
-.Xr ssh 1 )
+Tools such as
+.Xr ssh 1
which know how to talk to the
.Xr ssh-agent 1
can now rely on the key.
@@ -58,8 +67,14 @@ lsh(1) and putty(1).
Secret key output is currently not passphrase-protected.
-This program is not yet implemented, and this man page currently only
-describes expected functionality.
+openpgp2ssh currently cannot handle passphrase-protected secret keys on input.
+
+It would be nice to be able to use keyids shorter or longer than 16
+hex characters.
+
+openpgp2ssh only acts on keys associated with the first primary key
+passed in. If you send it more than one primary key, it will silently
+ignore later ones.
.Sh SEE ALSO
.Xr monkeysphere 1 ,
.Xr ssh 1 ,