Hello Jen, > gpg --export-secret-keys $KEYID | openpgp2ssh $KEYID After moving your secret subkeys to a smartcard, the secret subkeys are not on your hard drive anymore. The secret parts are only on the smartcard then. And for security reasons you cannot export secret keys from your smartcard. The files of your secret keys you find in `~/.gnupg/private-keys-v1.d/` on your hard drive are only “stubs”.
> Can anyone tell me how to properly get the public key off of the yubikey to > present to other servers? The smartcard only stores the secret parts of your subkeys, not the public parts. In order to use your GPG subkey (which has authentication function) for SSH, you can use `gpg --export-ssh-key <KEYID>` command. This will give you the public part your authentication key in SSH format. For this command you only need the public key in your keyring. The export has nothing to do with your smartcard. I attached a little tutorial I once wrote for using GnuPG for SSH authentication. It worked for me on Arch Linux, Manjaro, and Linux Mint, but should apply to CentOS, too. Best regards, W. Traylor
--- title: GnuPG for SSH on Linux author: Wolfgang Traylor license: CC-zero 1.0 (https://creativecommons.org/publicdomain/zero/1.0/) ... Warning: This is still work in progress! On Debian: Prepare GnuPG ======================== SSH support is not given by GnuPG 1. The `gpg` executable must be version 2.0 or higher. On Debian system, `gpg` is still the old version by default. We change that globally. First check your versions: ```sh gpg --version gpg2 --version ``` If `gpg` is not 2.x, we need to change that. ```sh mkdir --parents ~/.local/bin/ ln --symbolic `which gpg` ~/.local/bin/gpg1 ln --symbolic `which gpg2` ~/.local/bin/gpg ``` This will override the global gpg command with a local one for the current user. Create your Authentication Subkey ================================= ```sh gpg --edit-key --expert KEYID > addkey # Type of key: > 8 # RSA (custom functionality) # Give it only authentication functionality: > S > V > A > Q # Choose your preferred length: > 4096 # Your preferred expiration: > 1y ``` Export your Public SSH Key ========================== ```sh gpg --export-ssh-key KEYID > /tmp/my_ssh_key.pub ``` You can open this file in a text editor. It contains only one line. Anything after the first space is a comment. By default, your Key ID is in the comment. I recommend to add your name behind there, too, in order to make it identifiable. The public key file needs to go to the remote machine. Give it to the administrator. If you already have a user account on the remote machine, you can give yourself remote access by authorizing your key: ```sh cat /path/to/my_ssh_key.pub >> ~/.ssh/authorized_keys ``` I recommend to do that on each of your devices, so that you can login remotely if necessary any time. Set up SSH on your local machine ================================ The GnuPG agent (since version 2.0) can function as a drop-in replacement for the SSH agent. We need to let the `ssh` command know how to connect to GnuPG. First enable SSH support in the GnuPG agent and restart the agent: ```sh echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf gpgconf --kill gpg-agent gpgconf --launch gpg-agent ``` See if this command produces any output: ```sh gpgconf --list-dirs agent-ssh-socket ``` If it does, copy the following line into `~/.bashrc`: ```sh SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) ``` If there was no output, restart your computer and try again. If still no luck, look for a file with the name `S.gpg-agent.ssh` in your `~/.gnupg` folder. If you find that file, add this into your `~/.bashrc`: ```sh SSH_AUTH_SOCK="$HOME/.gnupg/S.gpg-agent.ssh" ``` For our changes in `~/.bashrc` to take effect, we need to log out and back in again. Put your Subkey under SSH Control ================================= The GnuPG agent needs to be told explicitly which keys shall be used for SSH. They are listed in the file `~/.gnupg/sshcontrol` in the form of their “keygrip”. Call `gpg --list-keys --with-keygrip YOUR_KEYID` to find out that number from your authentication subkey and copy-paste it into `~/.gnupg/sshcontrol` (create it if needed). See if your key is listed with `ssh-add -l`. If it does, you are ready to use it for SSH.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
