2 .Dd $Mdocdate: June 11, 2008 $
7 .Nd translate OpenPGP keys to SSH keys
9 .Nm openpgp2ssh < mykey.gpg
11 .Nm gpg --export $KEYID | openpgp2ssh $KEYID
13 .Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID
15 openpgp2ssh takes an OpenPGP-formatted primary key and associated
16 subkeys on standard input, and spits out the requested equivalent
17 SSH-style key on standard output.
19 If the data on standard input contains no subkeys, you can invoke
20 openpgp2ssh without arguments. If the data on standard input contains
21 multiple keys (e.g. a primary key and associated subkeys), you must
22 specify a specific OpenPGP keyid (e.g. CCD2ED94D21739E9) or
23 fingerprint as the first argument to indicate which key to export.
24 The keyid must be exactly 16 hex characters.
26 If the input contains an OpenPGP RSA or DSA public key, it will be
27 converted to the OpenSSH-style single-line keystring, prefixed with
28 the key type. This format is suitable (with minor alterations) for
29 insertion into known_hosts files and authorized_keys files.
31 If the input contains an OpenPGP RSA or DSA secret key, it will be
32 converted to the equivalent PEM-encoded private key.
34 openpgp2ssh is part of the
36 framework for providing a PKI for SSH.
38 The keys produced by this process are stripped of all identifying
39 information, including certifications, self-signatures, etc. This is
40 intentional, since ssh attaches no inherent significance to these
43 openpgp2ssh only works with RSA or DSA keys, because those are the
44 only ones which work with ssh.
46 Assuming a valid key type, though, openpgp2ssh will produce output for
47 any requested key. This means, among other things, that it will
48 happily export revoked keys, unverifiable keys, expired keys, etc.
49 Make sure you do your own key validation before using this tool!
51 .Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin
53 This pushes the secret key into the active
57 which know how to talk to the
59 can now rely on the key.
61 openpgp2ssh and this man page were written by Daniel Kahn Gillmor
62 <dkg@fifthhorseman.net>.
64 openpgp2ssh currently only exports into formats used by the OpenSSH.
65 It should support other key output formats, such as those used by
68 Secret key output is currently not passphrase-protected.
70 openpgp2ssh currently cannot handle passphrase-protected secret keys on input.
72 It would be nice to be able to use keyids shorter or longer than 16
75 openpgp2ssh only acts on keys associated with the first primary key
76 passed in. If you send it more than one primary key, it will silently
81 .Xr monkeysphere-server 8