.Nd translate OpenPGP keys to SSH keys
.Sh SYNOPSIS
.Nm openpgp2ssh < mykey.gpg
-
+.Pp
.Nm gpg --export $KEYID | openpgp2ssh $KEYID
-
+.Pp
.Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID
.Sh DESCRIPTION
-openpgp2ssh takes OpenPGP-formatted RSA and DSA keys on standard
-input, and spits out the requested equivalent SSH-style key on
-standard output.
-
-If the data on standard input contains only a single key, you can
-invoke openpgp2ssh without arguments. If the data on standard input
-contains multiple keys (e.g. a primary key and associated subkeys),
-you must specify a specific OpenPGP keyid (e.g. CCD2ED94D21739E9) or
-fingerprint as the first argument to indicate which key to export.
-The keyid must be at least 8 hex characters.
-
+.Nm
+takes an OpenPGP-formatted primary key and associated
+subkeys on standard input, and spits out the requested equivalent
+SSH-style key on standard output.
+.Pp
+If the data on standard input contains no subkeys, you can invoke
+.Nm
+without arguments. If the data on standard input contains multiple
+keys (e.g. a primary key and associated subkeys), you must specify a
+specific OpenPGP key identifier as the first argument to indicate
+which key to export. The key ID is normally the 40 hex digit OpenPGP
+fingerprint of the key or subkey desired, but
+.Nm
+will accept as few as the last 8 digits of the fingerprint as a key
+ID.
+.Pp
If the input contains an OpenPGP RSA or DSA public key, it will be
converted to the OpenSSH-style single-line keystring, prefixed with
the key type. This format is suitable (with minor alterations) for
insertion into known_hosts files and authorized_keys files.
-
+.Pp
If the input contains an OpenPGP RSA or DSA secret key, it will be
converted to the equivalent PEM-encoded private key.
-
-Note that the keys output from this process are stripped of all
-identifying information, including certifications, self-signatures,
-etc.
-
-openpgp2ssh is part of the
-.Xr monkeysphere 1
+.Pp
+.Nm
+is part of the
+.Xr monkeysphere 5
framework for providing a PKI for SSH.
+.Sh CAVEATS
+The keys produced by this process are stripped of all identifying
+information, including certifications, self-signatures, etc. This is
+intentional, since ssh attaches no inherent significance to these
+features.
+.Pp
+.Nm
+only works with RSA or DSA keys, because those are the
+only ones which work with ssh.
+.Pp
+Assuming a valid key type, though,
+.Nm
+will produce output for
+any requested key. This means, among other things, that it will
+happily export revoked keys, unverifiable keys, expired keys, etc.
+Make sure you do your own key validation before using this tool!
.Sh EXAMPLES
.Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin
-
+.Pp
This pushes the secret key into the active
.Xr ssh-agent 1 .
-Tools (such as
-.Xr ssh 1 )
+Tools such as
+.Xr ssh 1
which know how to talk to the
.Xr ssh-agent 1
can now rely on the key.
.Sh AUTHOR
-openpgp2ssh and this man page were written by Daniel Kahn Gillmor
+.Nm
+and this man page were written by Daniel Kahn Gillmor
<dkg@fifthhorseman.net>.
.Sh BUGS
-openpgp2ssh currently only exports into formats used by the OpenSSH.
+.Nm
+Currently only exports into formats used by the OpenSSH.
It should support other key output formats, such as those used by
lsh(1) and putty(1).
-
+.Pp
Secret key output is currently not passphrase-protected.
-
-This program is not yet implemented, and this man page currently only
-describes expected functionality.
+.Pp
+.Nm
+currently cannot handle passphrase-protected secret keys on input.
+.Pp
+Key identifiers consisting of an odd number of hex digits are not
+accepted. Users who use a key ID with a standard length of 8, 16, or
+40 hex digits should not be affected by this.
+.Pp
+.Nm
+only acts on keys associated with the first primary key
+passed in. If you send it more than one primary key, it will silently
+ignore later ones.
.Sh SEE ALSO
.Xr monkeysphere 1 ,
+.Xr monkeysphere 5 ,
.Xr ssh 1 ,
.Xr monkeysphere-server 8
projects / monkeysphere.git / blobdiff