- .\" -*- nroff -*-
- .Dd $Mdocdate: June 11, 2008 $
- .Dt OPENPGP2SSH 1
- .Os
- .Sh NAME
- openpgp2ssh
- .Nd translate OpenPGP keys to SSH keys
- .Sh SYNOPSIS
- .Nm openpgp2ssh < mykey.gpg
- .Pp
- .Nm gpg --export $KEYID | openpgp2ssh $KEYID
- .Pp
- .Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID
- .Sh DESCRIPTION
- .Nm
- takes an OpenPGP-formatted primary key and associated
- subkeys on standard input, and spits out the requested equivalent
- SSH-style key on standard output.
- .Pp
- If the data on standard input contains no subkeys, you can invoke
- .Nm
- without arguments. If the data on standard input contains multiple
- keys (e.g. a primary key and associated subkeys), you must specify a
- specific OpenPGP key identifier as the first argument to indicate
- which key to export. The key ID is normally the 40 hex digit OpenPGP
- fingerprint of the key or subkey desired, but
- .Nm
- will accept as few as the last 8 digits of the fingerprint as a key
- ID.
- .Pp
- If the input contains an OpenPGP RSA or DSA public key, it will be
- converted to the OpenSSH-style single-line keystring, prefixed with
- the key type. This format is suitable (with minor alterations) for
- insertion into known_hosts files and authorized_keys files.
- .Pp
- If the input contains an OpenPGP RSA or DSA secret key, it will be
- converted to the equivalent PEM-encoded private key.
- .Pp
- .Nm
- is part of the
- .Xr monkeysphere 7
- framework for providing a PKI for SSH.
- .Sh CAVEATS
- The keys produced by this process are stripped of all identifying
- information, including certifications, self-signatures, etc. This is
- intentional, since ssh attaches no inherent significance to these
- features.
- .Pp
- .Nm
- only works with RSA or DSA keys, because those are the
- only ones which work with ssh.
- .Pp
- Assuming a valid key type, though,
- .Nm
- will produce output for
- any requested key. This means, among other things, that it will
- happily export revoked keys, unverifiable keys, expired keys, etc.
- Make sure you do your own key validation before using this tool!
- .Sh EXAMPLES
- .Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin
- .Pp
- This pushes the secret key into the active
- .Xr ssh-agent 1 .
- Tools such as
- .Xr ssh 1
- which know how to talk to the
- .Xr ssh-agent 1
- can now rely on the key.
- .Sh AUTHOR
- .Nm
- and this man page were written by Daniel Kahn Gillmor
- <dkg@fifthhorseman.net>.
- .Sh BUGS
- .Nm
- Currently only exports into formats used by the OpenSSH.
- It should support other key output formats, such as those used by
- lsh(1) and putty(1).
- .Pp
- Secret key output is currently not passphrase-protected.
- .Pp
- .Nm
- currently cannot handle passphrase-protected secret keys on input.
- .Pp
- Key identifiers consisting of an odd number of hex digits are not
- accepted. Users who use a key ID with a standard length of 8, 16, or
- 40 hex digits should not be affected by this.
- .Pp
- .Nm
- only acts on keys associated with the first primary key
- passed in. If you send it more than one primary key, it will silently
- ignore later ones.
- .Sh SEE ALSO
- .Xr pem2openpgp 1 ,
- .Xr monkeysphere 1 ,
- .Xr monkeysphere 7 ,
- .Xr ssh 1 ,
- .Xr monkeysphere-server 8
|
