Using GnuPG Keys with PuTTY - SSH

This is a discussion on Using GnuPG Keys with PuTTY - SSH ; I have users that want to use their GnuPG keys with PuTTY, but I can not figure out a way to import them. I also can not figure out a way to export PuTTY keys so that GnuPG can import ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Using GnuPG Keys with PuTTY

  1. Using GnuPG Keys with PuTTY

    I have users that want to use their GnuPG keys with PuTTY, but I can
    not figure out a way to import them. I also can not figure out a way to
    export PuTTY keys so that GnuPG can import them.

    Is there something that I'm missing, is there a conversion routine
    available?

    Russ...


  2. Re: Using GnuPG Keys with PuTTY

    Have you tried puttygen.exe, available from the PuTTY download page?


  3. Re: Using GnuPG Keys with PuTTY

    Wences wrote:
    > Have you tried puttygen.exe, available from the PuTTY download page?


    That won't help: PuTTYgen will cheerfully import keys from OpenSSH
    and ssh.com, but doesn't know how to import from GnuPG.

    Primarily this is because it has never occurred to us that anyone
    would want to. The point of importing a private key from another
    program is because it enables you to authenticate to servers which
    _already_ trust the corresponding public key; if you instead
    generated a fresh key then you'd have to reconfigure the server,
    which might be more inconvenient (for example, if there are ten such
    servers configured independently). So importing keys from other SSH
    clients makes obvious practical sense because SSH servers will often
    already be set up to trust those keys; but I've never heard of an
    SSH server trusting a GnuPG public key, so I can't see any practical
    reason why importing a GnuPG private key into PuTTY would be
    preferable to just generating a fresh key.

    Perhaps the original poster might shed some light on _why_ his users
    want to import GnuPG keys into PuTTY?
    --
    Simon Tatham "The distinction between the enlightened and the
    terminally confused is only apparent to the latter."

  4. Re: Using GnuPG Keys with PuTTY

    Simon Tatham wrote:
    > Wences wrote:
    >> Have you tried puttygen.exe, available from the PuTTY download page?

    >
    > That won't help: PuTTYgen will cheerfully import keys from OpenSSH
    > and ssh.com, but doesn't know how to import from GnuPG.
    >
    > Primarily this is because it has never occurred to us that anyone
    > would want to. The point of importing a private key from another
    > program is because it enables you to authenticate to servers which
    > _already_ trust the corresponding public key; if you instead
    > generated a fresh key then you'd have to reconfigure the server,
    > which might be more inconvenient (for example, if there are ten such
    > servers configured independently). So importing keys from other SSH
    > clients makes obvious practical sense because SSH servers will often
    > already be set up to trust those keys; but I've never heard of an
    > SSH server trusting a GnuPG public key, so I can't see any practical
    > reason why importing a GnuPG private key into PuTTY would be
    > preferable to just generating a fresh key.
    >
    > Perhaps the original poster might shed some light on _why_ his users
    > want to import GnuPG keys into PuTTY?


    Probably so that they have one private key identity, and one place to
    manage it. I can see some benefit to this but am not sure how it would
    work with current ssh implementations. GnuPG keys for example depend on
    a web of trust where they are signed by other keys. They can also be
    revoked, and they can expire. I don't believe ssh is set up for any of this.

    Chuck

  5. Re: Using GnuPG Keys with PuTTY

    >>>>> "Chuck" == Chuck writes:

    Chuck> Simon Tatham wrote:
    >> Wences wrote:
    >>> Have you tried puttygen.exe, available from the PuTTY download
    >>> page?

    >> That won't help: PuTTYgen will cheerfully import keys from OpenSSH
    >> and ssh.com, but doesn't know how to import from GnuPG.
    >>
    >> Primarily this is because it has never occurred to us that anyone
    >> would want to. The point of importing a private key from another
    >> program is because it enables you to authenticate to servers which
    >> _already_ trust the corresponding public key; if you instead
    >> generated a fresh key then you'd have to reconfigure the server,
    >> which might be more inconvenient (for example, if there are ten
    >> such servers configured independently). So importing keys from
    >> other SSH clients makes obvious practical sense because SSH servers
    >> will often already be set up to trust those keys; but I've never
    >> heard of an SSH server trusting a GnuPG public key, so I can't see
    >> any practical reason why importing a GnuPG private key into PuTTY
    >> would be preferable to just generating a fresh key.
    >>
    >> Perhaps the original poster might shed some light on _why_ his
    >> users want to import GnuPG keys into PuTTY?


    Chuck> Probably so that they have one private key identity, and one
    Chuck> place to manage it. I can see some benefit to this but am not
    Chuck> sure how it would work with current ssh implementations. GnuPG
    Chuck> keys for example depend on a web of trust where they are signed
    Chuck> by other keys. They can also be revoked, and they can expire. I
    Chuck> don't believe ssh is set up for any of this.

    Chuck> Chuck

    The Tectia Unix ssh client (ssh.com) can use GPG-format keys for user
    authentication, on both the client and server sides.

    --
    Richard Silverman
    res@qoxp.net


  6. Re: Using GnuPG Keys with PuTTY

    Richard E. Silverman wrote:
    >>>>>> "Chuck" == Chuck writes:

    >
    > Chuck> Simon Tatham wrote:
    > >> Wences wrote:
    > >>> Have you tried puttygen.exe, available from the PuTTY download
    > >>> page?
    > >> That won't help: PuTTYgen will cheerfully import keys from OpenSSH
    > >> and ssh.com, but doesn't know how to import from GnuPG.
    > >>
    > >> Primarily this is because it has never occurred to us that anyone
    > >> would want to. The point of importing a private key from another
    > >> program is because it enables you to authenticate to servers which
    > >> _already_ trust the corresponding public key; if you instead
    > >> generated a fresh key then you'd have to reconfigure the server,
    > >> which might be more inconvenient (for example, if there are ten
    > >> such servers configured independently). So importing keys from
    > >> other SSH clients makes obvious practical sense because SSH servers
    > >> will often already be set up to trust those keys; but I've never
    > >> heard of an SSH server trusting a GnuPG public key, so I can't see
    > >> any practical reason why importing a GnuPG private key into PuTTY
    > >> would be preferable to just generating a fresh key.
    > >>
    > >> Perhaps the original poster might shed some light on _why_ his
    > >> users want to import GnuPG keys into PuTTY?

    >
    > Chuck> Probably so that they have one private key identity, and one
    > Chuck> place to manage it. I can see some benefit to this but am not
    > Chuck> sure how it would work with current ssh implementations. GnuPG
    > Chuck> keys for example depend on a web of trust where they are signed
    > Chuck> by other keys. They can also be revoked, and they can expire. I
    > Chuck> don't believe ssh is set up for any of this.
    >
    > Chuck> Chuck
    >
    > The Tectia Unix ssh client (ssh.com) can use GPG-format keys for user
    > authentication, on both the client and server sides.
    >


    How do they handle revoked and expired keys? Does the server look for a
    keyserver?

  7. Re: Using GnuPG Keys with PuTTY

    Simon,

    We have users that have been using pgp/GnuPG for sometime with their
    e-mail. We are moving them to a 'common' platform (PC) and are
    implementing the SSH client using PuTTY (Thank you). They don't want to
    have to manage multiple keys and have read that SSH2 will work with pgp
    keys by adding 'PgpKeyName pgpkeyfilename' to their
    ~.ssh/authorized_keys file.

    They really like the way Pageant works.

    I would have them generate new keys with puttygen if they could export
    the key to use with GnuPG.

    SSH2 ver 2.0.13 is the version that introduced support for PGP
    authentication

    Russ...

    Simon Tatham wrote:
    > Wences wrote:
    > > Have you tried puttygen.exe, available from the PuTTY download page?

    >
    > That won't help: PuTTYgen will cheerfully import keys from OpenSSH
    > and ssh.com, but doesn't know how to import from GnuPG.
    >
    > Primarily this is because it has never occurred to us that anyone
    > would want to. The point of importing a private key from another
    > program is because it enables you to authenticate to servers which
    > _already_ trust the corresponding public key; if you instead
    > generated a fresh key then you'd have to reconfigure the server,
    > which might be more inconvenient (for example, if there are ten such
    > servers configured independently). So importing keys from other SSH
    > clients makes obvious practical sense because SSH servers will often
    > already be set up to trust those keys; but I've never heard of an
    > SSH server trusting a GnuPG public key, so I can't see any practical
    > reason why importing a GnuPG private key into PuTTY would be
    > preferable to just generating a fresh key.
    >
    > Perhaps the original poster might shed some light on _why_ his users
    > want to import GnuPG keys into PuTTY?
    > --
    > Simon Tatham "The distinction between the enlightened and the
    > terminally confused is only apparent to the latter."



  8. Re: Using GnuPG Keys with PuTTY

    Richard E. Silverman writes:
    >The Tectia Unix ssh client (ssh.com) can use GPG-format keys for user
    >authentication, on both the client and server sides.


    Is there any specification of how precisely this works on the wire?
    Does it use the "pgp-sign-rsa" and "pgp-sign-dss" names assigned in
    RFC4253?

+ Reply to Thread