On Tue, 23 Jul 2013 06:34, m...@0x01b.net said: > As I understand it, I can create an authentication subkey and use some utility > to convert that to an ssh key. If this conversion is possible, then why can't > the gpg-agent consider private auth (sub)keys along with ssh keys loaded via > the SSH_AUTH_SOCK protocol?
It does this if the authkey is on a smart-card. We can't further automate this because the gpg-agent protocol requires that gpg-agent tells ssh all available keys so that ssh can ask the server whether it is willing to accept a certain key. With the dozens of auth-keys in a keyring this is a privacy problem and a performance problem. So what we require is that non-smartcard keys to be used with ssh are listed in ~/.gnupg/sshcontol . With GnuPG 2.1 the whole thing will become easier because the gpg-agent has direct access to all private keys and thus there is no more need to consult gpg to convert the non-smartcard keys. This will actually allow to write a small GUI to maintain the sshcontrol file. > Also, out of curiosity... Would it be possible to multiplex the GPG_AGENT_INFO > protocol with SSH_AUTH_SOCK? Damien Miller of OpenSSH has talked about unix > socket forwarding [0], but nothing has come of it. I think it'd be a big win In theory yes. If you want to try: gpg-agent 2.1 can use TCP instead of a local socket to accept connection from gpg. It is a debugging aid because there is no security - tunneling this via ssh would give you this security. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
