Convert RSA openSSH key/putty key to gpg key

FRob
  • Convert RSA openSSH key/putty key to gpg key FRob

    Scenario

    Two work sites, site 1 and site 2. Two Linux servers, server A and server B. Server A is reachable from both sites, while server B is reachable from site 1 only. Two Windows workstations, one at site 1, the other at site 2.

    I'm on Windows at site 1, using PuTTY to connect to server A that's set to ssh publickey authentication only.

    I use gpg-agent with the enable-putty-support setting activated instead of pageant to use a smartcard for git authentication at $popular_git_site.

    Most of the time at site 1, I need to remotely connect to server B using NoMachine's NX Client v3.5.x. From there, I need to be able to ssh into server A using publickey authentication as well. Since server B is running NX Server v3.5.x, agent-forwarding does not work using NX Client. Thus, with the smartcard unavailable, I have to make sure I have a private key available on server B.

    Therefore, I created a password-protected RSA ssh key pair with on server B using

     ssh-keygen -t rsa
    

    The password is verylongandcomplicatedpassword. Thus, I don't want to type it a lot.

    I appended the public key .ssh/id_rsa.pub to .ssh/authorized_keys on server A as well as on server B. Using ssh from server B to server A works now. Vice-versa also works now.

    Problem

    On Windows at site 1 I have a PuTTY connection set-up to server B using agent-forwarding for my smartcard in order to be able to use git on server B and authenticate with my smartcard.

    I want the same thing for server A, because server B is unreachable from site 2, where I also work sometimes. gpg-agent is started as a Startup item using gpg-connect-agent /bye and is running on Windows.

    Thus, I scp'd the private key .ssh/id_rsa from server B onto my Windows machine. I successfully opened it with PuTTYgen and saved it in PuTTY format to C:\Users\name\ssh\id_rsa.ppk.

    I created a new PuTTY connection to server A, connection type SSH.

    Connection --> SSH --> Auth -->
        [Check]   Attempt Authentication using Pageant
        [Uncheck] Attempt "keyboard-interactive" auth
        [Check]   Allow agent forwarding
        Private Key File for Authentication: C:\Users\name\ssh\id_rsa.ppk
    

    This sort of works. However, PuTTY itself -- not gpg-agent -- prompts me for the password verylongandcomplicatedpassword -- every time! Agent forwarding also doesn't work insomuch as that I'm unable to go from server A to server B without retyping my password after successful login from PuTTY.

    I think PuTTY is unable to add the key to gpg-agent or communicate with it properly despite enable-putty-support being activated in the gpg-agent configuration and gpg-agent working like a champ for git and agent-forwaring working for git on server B at site 1.

    What I tried

    Thinking I'm extremely clever, I began to look into how to convert my .ssh/id_rsa to a format I can use in gpg2 for gpg-agent. This Google search yielded mostly bullshit results.

    The best of which -- because it actually sort of mentions a way to convert the key -- is over here.

    OpenSSH to GnuPG S/MIME

    First we need to create a certificate (self-signed) for our ssh key:

    openssl req -new -x509 -key ~/.ssh/id_rsa -out ssh-cert.pem
    

    We can now import it in GnuPG

    openssl pkcs12 -export -in ssh-certs.pem -inkey ~/.ssh/id_rsa -out ssh-key.p12
    gpgsm --import ssh-key.p12
    

    Notice you cannot import/export DSA ssh keys to/from GnuPG

    Said and done. Notice obvious typo in second command (ssh-certs.pem vs ssh-cert.pem). I did all openssl commands on server B, then copied the ssh-key.p12 file over to Windows and imported it into gpg. I can see the key as X.509 in Kleopatra, a graphical frontend for gpg on Windows.

    However, despite this, nothing changed and nothing seems to be working. I tried with the original PuTTY settings above. The behavior is unchanged.

    Leaving the Private Key File for Authentication field empty, I get the usual message:

    PuTTY Fatal Error Disconnected: No supported authentication methods available (server sent: publickey)

    I'm ignorant as to why this isn't working. Is GnuPG S/MIME or X.509 not what I need? I tried converting the .ssh/id_rsa.pub as well, thinking it might be a public key issue, but openssl complains that it only wants to convert private keys.

    What I don't need

    Answers suggesting

    • I'm stupid for wanting this
    • nobody would never ever need to want to do this
    • if I don't like how ssh/gpg/PuTTY works, I can code my own
    • man gpg, man ssh, man ssh_config

Related questions and answers
  • for the LAN. The server is running a dynamic IP auto-update client which keeps a DNS Host (A) record up-to-date. The private IP of the server is 192.168.1.196. Let dyn.example.com be the name of the dynamic DNS... A it is possible to: Browse the website corresponding to dyn.example.com virtual host on Apache. SSH into the server using the hostname to establish the connection A client program for the custom binary server is able to connect to dyn.example.com:29401 and exchange data. Skype and other VOIP software (which like uses hole punching) works properly. Connect to http://portquiz.net:29401/ and receive

  • the wordpres plugins apt-get update && apt-get upgrade on the server After a day, I am checking my wordpress instance, and I can already find, what I believe, is some injected PHP code...; exit; } } header('HTTP/1.0 404 Not Found', true); exit; ?> My suspicion is the URL (http://admindors.com/redbutton/main2-dors/20j-107-1/) in the PHP code. Also as GIT points out... of file At this point, I am not sure how to secure my wordpress? How can I identify the culprit? What can I do next?

  • the password. The private keys or password can be transferred reasonably securely out-of-band and I would like the data to be unreadable without the keys for long term archiving. Edit: I guess... source (not a PRNG) and am just checking, how GPG can use it. Any other thing I have to consider? Edit II: The target audience is me and two colleagues, so I assume that after consulting a HowTo... that this data is copied or read. I'm searching for a reasonably simple method to encrypt tar archives and only have them readable by three individuals. After lots of searching, I would like to know if GPG

  • I am having the following problem on both my android phone and on my chromebook. I'm running a website on an internal server (10.3.3.3) using nginx with a self-signed ssl certificate. Since it is just an internal server, I put the CN=10.3.3.3. All of our desktop machines work just fine (they give a warning about the certificate, but after we tell the browser to connect anyways, it works just fine... the typical chrome yellow screen saying there is something wrong with the certificate. When I click "proceed anyways", it looks like it is trying to load, but the site never comes up. What do I need

  • FreeWiFi -c 5 mon0 All this seems to work, an AP is created and I can attempt to connect to this with my phone, and it displays something along the lines of "Obtaining an IP address". $ ifconfig at0 up Above I bring up the at0 interface, I've tried this assigning an IP as well (0.0.0.0), also with a valid IP (e.g. x.x.x.next_available_number), and neither seems to work. I've also tried...I'm trying to execute a Man in the Middle attack on my mobile phone, I have two wireless cards, one inbuilt in the laptop, running AR9285 atheros drivers, the 2nd is an Alfa AWUS036NHA card

  • , the users should still be safe because the passwords are hashed. I can transmit the passwords to the server in plaintext (Base64), because the transmission itself is secured via HTTPS. I'm only working on this project in my spare time, which means I don't want to spend too much time on security alone and since it's just a game, hijacking an account wouldn't be that critical as well. However, I would still like to have a robust authentication mechanism. My questions: Are my assumptions correct? How would it be possible to compromise my current approach? What could I do to further improve

  • for the most part. Encrypted Email: I hesitate with this one as it includes user education, but it may be the best way. Also, it means handing out keys somehow. There is also the email client support... page inside the company or over an encrypted link and get a password (or perhaps, request one as well). I'd have to set this up (not a problem: I'm a programmer and administrator in one...I have a problem I need to solve - specifically, how to hand out passwords to people in a variety of locations, and with a wide variety of access. I've thought of some options

  • I need to pull some data from network storage to a publicly available laptop that is running Linux. The network storage used to be provided via a server that could be connected to via ssh, but it has now been switched to a server that only provides access via samba. I used to connect from the laptop to the server with SSH keys and I sand boxed the key on the server to only run rsync to make...). I asked IS how I should implement the data sync on the new system. There response was to store my password in plain text on the publicly available laptop and use that to mount the samba share

  • unreliable. Anyway, here is what I've got now: Setup Generate a unique shared symmetric key (K) Generate a TAN (Transaction Authentication Number) File (S) Copy K and S into the server's database... and quits If e1 == e2, it accepts the value as a credit to the user's client-side balance Finally, it invalidates all the nonces tried in step (1) by deleting them from the S file TAN Files A TAN... it to the smart card. The question is what is the best way to authenticate the token. Here is what I came up with: We create a unique symmetric key (K) and store it securely in the server and the smart

Data information