summaryrefslogtreecommitdiff
path: root/man/man1/openpgp2ssh.1
blob: 304a442577b3f60e3765737b999a8d87688bda8c (plain)
  1. .\"  -*- nroff -*-
  2. .Dd $Mdocdate: March 1, 2009 $
  3. .Dt OPENPGP2SSH 1
  4. .Os
  5. .Sh NAME
  6. openpgp2ssh
  7. .Nd translate OpenPGP keys to SSH keys
  8. .Sh SYNOPSIS
  9. .Nm openpgp2ssh < mykey.gpg
  10. .Pp
  11. .Nm gpg \-\-export $KEYID | openpgp2ssh $KEYID
  12. .Pp
  13. .Nm gpg \-\-export\-secret\-key $KEYID | openpgp2ssh $KEYID
  14. .Sh DESCRIPTION
  15. .Nm
  16. takes an OpenPGP-formatted primary key and associated
  17. subkeys on standard input, and spits out the requested equivalent
  18. SSH-style key on standard output.
  19. .Pp
  20. If the data on standard input contains no subkeys, you can invoke
  21. .Nm
  22. without arguments. If the data on standard input contains multiple
  23. keys (e.g. a primary key and associated subkeys), you must specify a
  24. specific OpenPGP key identifier as the first argument to indicate
  25. which key to export. The key ID is normally the 40 hex digit OpenPGP
  26. fingerprint of the key or subkey desired, but
  27. .Nm
  28. will accept as few as the last 8 digits of the fingerprint as a key
  29. ID.
  30. .Pp
  31. If the input contains an OpenPGP RSA public key, it will be converted
  32. to the OpenSSH-style single-line keystring, prefixed with the key type
  33. (`ssh\-rsa'). This format is suitable (with minor alterations) for
  34. insertion into known_hosts files and authorized_keys files.
  35. .Pp
  36. If the input contains an OpenPGP RSA secret key, it will be converted
  37. to the equivalent PEM-encoded private key.
  38. .Pp
  39. .Nm
  40. is part of the
  41. .Xr monkeysphere 7
  42. framework for providing a PKI for SSH.
  43. .Sh CAVEATS
  44. The keys produced by this process are stripped of all identifying
  45. information, including certifications, self-signatures, etc. This is
  46. intentional, since ssh attaches no inherent significance to these
  47. features.
  48. .Pp
  49. .Nm
  50. will produce output for any requested RSA key. This means, among
  51. other things, that it will happily export revoked keys, unverifiable
  52. keys, expired keys, etc. Make sure you do your own key validation
  53. before using this tool!
  54. .Sh EXAMPLES
  55. .Nm gpg \-\-export\-secret\-key $KEYID | openpgp2ssh $KEYID | ssh\-add \-c /dev/stdin
  56. .Pp
  57. This pushes the secret key into the active
  58. .Xr ssh\-agent 1 .
  59. Tools such as
  60. .Xr ssh 1
  61. which know how to talk to the
  62. .Xr ssh\-agent 1
  63. can now rely on the key.
  64. .Sh AUTHOR
  65. .Nm
  66. and this man page were written by Daniel Kahn Gillmor
  67. <dkg@fifthhorseman.net>.
  68. .Sh BUGS
  69. .Nm
  70. only works with RSA keys. DSA keys are the only other key type
  71. available in both OpenPGP and SSH, but they are currently unsupported
  72. by this utility.
  73. .Pp
  74. .Nm
  75. only accepts raw OpenPGP packets on standard input. It does not
  76. accept ASCII-armored input.
  77. .Nm
  78. Currently only exports into formats used by the OpenSSH.
  79. It should support other key output formats, such as those used by
  80. .Xr lsh 1
  81. and
  82. .Xr putty 1 .
  83. .Pp
  84. Secret key output is currently not passphrase-protected.
  85. .Pp
  86. .Nm
  87. currently cannot handle passphrase-protected secret keys on input.
  88. .Sh SEE ALSO
  89. .Xr pem2openpgp 1 ,
  90. .Xr monkeysphere 1 ,
  91. .Xr monkeysphere 7 ,
  92. .Xr ssh 1 ,
  93. .Xr monkeysphere-authentication 8 ,
  94. .Xr monkeysphere-host 8