Hi Peter Thanks for your comments and help.
Your guide highlighted a silly error where I had accidentally chopped some of the trailing characters of the appropriate keygrip in sshcontrol (Doh!). BTW I am using GnuPG 2.1.9 I can now successfully get the response to ssh-add -L as expected. Great! I do have a problem with this setup still not working as expected i.e. I have the exported pub key (from ssh-add -L) copied to the external servers ~/.ssh/authorized_keys.. but still being prompted for a user password upon ssh'ing to the server. Anything there I am perhaps missing? Kind regards Jacques On 12 January 2016 at 18:37, Peter Lebbing <pe...@digitalbrains.com> wrote: > On 12/01/16 12:58, Jacques Kotze wrote: > > Hi All, > > Hi, > > > First time post, so please excuse me if it is a ignorant noob question :) > > It's not an ignorant question, and even if it were, that wouldn't be a > problem :). > > > $> unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK > > $> eval $(/usr/local/MacGPG2/bin/gpg-agent --daemon --enable-ssh-support) > > Which version of GnuPG are you using, by the way? > > > Ok.. so I am stumped. Any help appreciated :) > > Did it go something like this? > > I'm "quoting" the terminal interaction and writing comments in between. > You can see I'm using GnuPG 2.1, but I think it should go the same for > 2.0. There /is/ a difference with regard to the agent configuration, > though, which is why I ask about your version above. > > > $ gpg2 --expert --edit-key DCDFDFA4 > > gpg (GnuPG) 2.1.10; Copyright (C) 2015 Free Software Foundation, Inc. > > This is free software: you are free to change and redistribute it. > > There is NO WARRANTY, to the extent permitted by law. > > > > Secret key is available. > > > > sec rsa1024/DCDFDFA4 > > created: 2012-03-17 expires: 2016-01-13 usage: SC > > trust: never validity: unknown > > ssb rsa1024/77A3395A > > created: 2012-03-17 expires: never usage: E > > [ unknown] (1). Test Teststra (Koning van Wezel) <test@example.invalid> > > [ unknown] (2) Test Teststra <test@work.invalid> > > This is a testkey. It doesn't have an authentication capable subkey yet, > so let's add one (for that, we need --expert, hence my use of it). > > > gpg> addkey > > Please select what kind of key you want: > > (3) DSA (sign only) > > (4) RSA (sign only) > > (5) Elgamal (encrypt only) > > (6) RSA (encrypt only) > > (7) DSA (set your own capabilities) > > (8) RSA (set your own capabilities) > > (10) ECC (sign only) > > (11) ECC (set your own capabilities) > > (12) ECC (encrypt only) > > (13) Existing key > > Your selection? 8 > > > > Possible actions for a RSA key: Sign Encrypt Authenticate > > Current allowed actions: Sign Encrypt > > > > (S) Toggle the sign capability > > (E) Toggle the encrypt capability > > (A) Toggle the authenticate capability > > (Q) Finished > > > > Your selection? =a > > I just noticed this possibility in a recent post by Werner to this > list... I don't know if it's a new 2.1 feature, but instead of first > toggling S and E, you can prepend an = to your A and presto, the key is > for A only. > > > RSA keys may be between 1024 and 4096 bits long. > > What keysize do you want? (2048) > > Requested keysize is 2048 bits > > Please specify how long the key should be valid. > > 0 = key does not expire > > <n> = key expires in n days > > <n>w = key expires in n weeks > > <n>m = key expires in n months > > <n>y = key expires in n years > > Key is valid for? (0) > > Key does not expire at all > > Is this correct? (y/N) y > > Really create? (y/N) y > > We need to generate a lot of random bytes. It is a good idea to perform > > some other action (type on the keyboard, move the mouse, utilize the > > disks) during the prime generation; this gives the random number > > generator a better chance to gain enough entropy. > > > > sec rsa1024/DCDFDFA4 > > created: 2012-03-17 expires: 2016-01-13 usage: SC > > trust: never validity: unknown > > ssb rsa1024/77A3395A > > created: 2012-03-17 expires: never usage: E > > ssb rsa2048/38EF7410 > > created: 2016-01-12 expires: never usage: A > > [ unknown] (1). Test Teststra (Koning van Wezel) <test@example.invalid> > > [ unknown] (2) Test Teststra <test@work.invalid> > > > > gpg> Save changes? (y/N) y > > So now we need the keygrip for this new authentication subkey: > > > $ gpg2 --with-keygrip -k DCDFDFA4 > > pub rsa1024/DCDFDFA4 2012-03-17 [expires: 2016-01-13] > > Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A > > uid [ unknown] Test Teststra (Koning van Wezel) > <test@example.invalid> > > uid [ unknown] Test Teststra <test@work.invalid> > > sub rsa1024/77A3395A 2012-03-17 > > Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D > > sub rsa2048/38EF7410 2016-01-12 > > Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 > > The keygrip /follows/ the line with the short key ID; we need the > keygrip for the key with ID 38EF7410, so it's the very last line. The > other keygrips are for keys that don't have the authentication > capability and are hence useless to add to sshcontrol. > > I used a screen editor, but let's pretend I used the command line... In > fact, all further lines have been edited to hide my real SSH keys. It's > probably overkill, but let's be cautious with what we broadcast on the > internet. > > > $ cd .gnupg > > $ echo '3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 0' >>sshcontrol > > $ cat .gnupg/sshcontrol > > # List of allowed ssh keys. Only keys present in this file are used > > # in the SSH protocol. The ssh-add tool may add new entries to this > > # file to enable them; you may also add them manually. Comment > > # lines, like this one, as well as empty lines are ignored. Lines do > > # have a certain length limit but this is not serious limitation as > > # the format of the entries is fixed and checked by gpg-agent. A > > # non-comment line starts with optional white spaces, followed by the > > # keygrip of the key given as 40 hex digits, optionally followed by a > > # the caching TTL in seconds and another optional field for arbitrary > > # flags. Prepend the keygrip with an '!' mark to disable it. > > > > 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 0 > > Now let's see if it's known: > > > $ ssh-add -L > > ssh-rsa > AAAAB3NzaC1yc2EAAAADAQABAAABAQC9V1hmvs5Gg8OqmtHDXfIAKA5Ji0z0+ib5m7DRjX/KXXZvOtwR8QOvsFxffJsXpmp1m7nL/gw+EcjbMDAbo+X05UWKiMwyVdinbnaupFDtk7Z+KBEAYLsvUml23jiBzitLbURC7wFrMTFPVzGY/5ZHw0LaWjSPuQxltjPTnMUcL4F4eyDD2TkmsxmAgNy5xMAjHmGdEaBnFent2hBTMETyeWKlP6glKT67eL2SQn5viHSXK6nVlXsyYsJBIhSPjAagPv1qRtkhinSJaKDUGWZ0vxMpNHscjG4DreWKlzew5UQcBBKleYPl7mSf1Z8UJnwLnYdC0OhjC1dMfyitByhV > (none) > > \o/ > > If you did it just like this, there's an issue in your setup, as it > works for me. If you didn't do it like this, ... you probably should ;P. > > HTH, > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> >
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
