- .\" -*- nroff -*-
- .Dd $Mdocdate: March 1, 2009 $
- .Dt OPENPGP2SSH 1
- .Os
- .Sh NAME
- openpgp2ssh
- .Nd translate OpenPGP keys to SSH keys
- .Sh SYNOPSIS
- .Nm openpgp2ssh < mykey.gpg
- .Pp
- .Nm gpg \-\-export $KEYID | openpgp2ssh $KEYID
- .Pp
- .Nm gpg \-\-export\-secret\-key $KEYID | openpgp2ssh $KEYID
- .Sh DESCRIPTION
- .Nm
- takes an OpenPGP-formatted primary key and associated
- subkeys on standard input, and spits out the requested equivalent
- SSH-style key on standard output.
- .Pp
- If the data on standard input contains no subkeys, you can invoke
- .Nm
- without arguments. If the data on standard input contains multiple
- keys (e.g. a primary key and associated subkeys), you must specify a
- specific OpenPGP key identifier as the first argument to indicate
- which key to export. The key ID is normally the 40 hex digit OpenPGP
- fingerprint of the key or subkey desired, but
- .Nm
- will accept as few as the last 8 digits of the fingerprint as a key
- ID.
- .Pp
- If the input contains an OpenPGP RSA public key, it will be converted
- to the OpenSSH-style single-line keystring, prefixed with the key type
- (`ssh\-rsa'). This format is suitable (with minor alterations) for
- insertion into known_hosts files and authorized_keys files.
- .Pp
- If the input contains an OpenPGP RSA secret key, it will be converted
- to the equivalent PEM-encoded private key.
- .Pp
- .Nm
- is part of the
- .Xr monkeysphere 7
- framework for providing a PKI for SSH.
- .Sh CAVEATS
- The keys produced by this process are stripped of all identifying
- information, including certifications, self-signatures, etc. This is
- intentional, since ssh attaches no inherent significance to these
- features.
- .Pp
- .Nm
- will produce output for any requested RSA key. This means, among
- other things, that it will happily export revoked keys, unverifiable
- keys, expired keys, etc. Make sure you do your own key validation
- before using this tool!
- .Sh EXAMPLES
- .Nm gpg \-\-export\-secret\-key $KEYID | openpgp2ssh $KEYID | ssh\-add \-c /dev/stdin
- .Pp
- This pushes the secret key into the active
- .Xr ssh\-agent 1 .
- Tools such as
- .Xr ssh 1
- which know how to talk to the
- .Xr ssh\-agent 1
- can now rely on the key.
- .Sh AUTHOR
- .Nm
- and this man page were written by Daniel Kahn Gillmor
- <dkg@fifthhorseman.net>.
- .Sh BUGS
- .Nm
- only works with RSA keys. DSA keys are the only other key type
- available in both OpenPGP and SSH, but they are currently unsupported
- by this utility.
- .Pp
- .Nm
- only accepts raw OpenPGP packets on standard input. It does not
- accept ASCII-armored input.
- .Nm
- Currently only exports into formats used by the OpenSSH.
- It should support other key output formats, such as those used by
- .Xr lsh 1
- and
- .Xr putty 1 .
- .Pp
- Secret key output is currently not passphrase-protected.
- .Pp
- .Nm
- currently cannot handle passphrase-protected secret keys on input.
- .Sh SEE ALSO
- .Xr pem2openpgp 1 ,
- .Xr monkeysphere 1 ,
- .Xr monkeysphere 7 ,
- .Xr ssh 1 ,
- .Xr monkeysphere-authentication 8 ,
- .Xr monkeysphere-host 8
|
