summaryrefslogtreecommitdiff
path: root/man/man1/openpgp2ssh.1
diff options
context:
space:
mode:
Diffstat (limited to 'man/man1/openpgp2ssh.1')
-rw-r--r--man/man1/openpgp2ssh.147
1 files changed, 31 insertions, 16 deletions
diff --git a/man/man1/openpgp2ssh.1 b/man/man1/openpgp2ssh.1
index 6267141..1a02b38 100644
--- a/man/man1/openpgp2ssh.1
+++ b/man/man1/openpgp2ssh.1
@@ -12,16 +12,16 @@ openpgp2ssh
.Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID
.Sh DESCRIPTION
-openpgp2ssh takes OpenPGP-formatted RSA and DSA keys on standard
-input, and spits out the requested equivalent SSH-style key on
-standard output.
+openpgp2ssh takes an OpenPGP-formatted primary key and associated
+subkeys on standard input, and spits out the requested equivalent
+SSH-style key on standard output.
-If the data on standard input contains only a single key, you can
-invoke openpgp2ssh without arguments. If the data on standard input
-contains multiple keys (e.g. a primary key and associated subkeys),
-you must specify a specific OpenPGP keyid (e.g. CCD2ED94D21739E9) or
+If the data on standard input contains no subkeys, you can invoke
+openpgp2ssh without arguments. If the data on standard input contains
+multiple keys (e.g. a primary key and associated subkeys), you must
+specify a specific OpenPGP keyid (e.g. CCD2ED94D21739E9) or
fingerprint as the first argument to indicate which key to export.
-The keyid must be at least 8 hex characters.
+The keyid must be exactly 16 hex characters.
If the input contains an OpenPGP RSA or DSA public key, it will be
converted to the OpenSSH-style single-line keystring, prefixed with
@@ -31,20 +31,29 @@ insertion into known_hosts files and authorized_keys files.
If the input contains an OpenPGP RSA or DSA secret key, it will be
converted to the equivalent PEM-encoded private key.
-Note that the keys produced by this process are stripped of all
-identifying information, including certifications, self-signatures,
-etc.
-
openpgp2ssh is part of the
.Xr monkeysphere 1
framework for providing a PKI for SSH.
+.Sh CAVEATS
+The keys produced by this process are stripped of all identifying
+information, including certifications, self-signatures, etc. This is
+intentional, since ssh attaches no inherent significance to these
+features.
+
+openpgp2ssh only works with RSA or DSA keys, because those are the
+only ones which work with ssh.
+
+Assuming a valid key type, though, openpgp2ssh will produce output for
+any requested key. This means, among other things, that it will
+happily export revoked keys, unverifiable keys, expired keys, etc.
+Make sure you do your own key validation before using this tool!
.Sh EXAMPLES
.Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin
This pushes the secret key into the active
.Xr ssh-agent 1 .
-Tools (such as
-.Xr ssh 1 )
+Tools such as
+.Xr ssh 1
which know how to talk to the
.Xr ssh-agent 1
can now rely on the key.
@@ -58,8 +67,14 @@ lsh(1) and putty(1).
Secret key output is currently not passphrase-protected.
-This program is not yet implemented, and this man page currently only
-describes expected functionality.
+openpgp2ssh currently cannot handle passphrase-protected secret keys on input.
+
+It would be nice to be able to use keyids shorter or longer than 16
+hex characters.
+
+openpgp2ssh only acts on keys associated with the first primary key
+passed in. If you send it more than one primary key, it will silently
+ignore later ones.
.Sh SEE ALSO
.Xr monkeysphere 1 ,
.Xr ssh 1 ,
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-28 19:15:07 +0000