Export different ssh-keys from gpg subkeys - ssh

I have a GPG master-key for certificating and a bunch of subkeys for encrypting, signing, auth. Is it possible to export different ssh public keys from each auth subkey I have?
E.g. I want to use the pass (passwordstore.org) and I've created a gpg key, 1 E subkey for encryption 3 A keys for auth on github for different pass clients. But when I export --export-ssh-keys with different KeyID (for each A subkey), I get the same public key every time.
Do I miss the concept of subkeys and it's not possible to have different auth subkeys belonging to one master key (i.e. I should made 1 gpg keypair for encrypting, and 3 keypairs for auth, all their own master key and own passphrase)?
My goal was to have one set of keys, with one passphrase, which contains everything down to my pass storage, i.e. 1 key for encrypting passwords (because it must be the same on each client) and auth keys for all clients to perform sync.

I found the solution, after more research than this would deserve!
You can list your subkeys with fingerprints using gpg -k --with-subkey-fingerprint, and get the fingerprint of the key you want to export. Then it is as simple as adding an ! at the end of the fingerprint:
gpg --export "fingerprint"!
where "fingerprint" is for your specific subkey.

Related

How to move my current using ssh key into Yubikey?

I'm using Yubikey 5 NFC and want to move my openssh key into it so that I can authenticate for ssh login via this Yubikey.
Maybe you will suggest to generate a new gpg keypair for Yubikey and use the gpg-agent instead of ssh-agent to authenticate. But I still want to move my current ssh private key into Yubikey because this way I don't have to edit authorized_keys everywhere.
I tried to do this following this article:
https://www.mvps.net/docs/how-to-add-your-existing-ssh-key-to-yubikey-via-openpgp/
which suggest to use pem2openpgp from monkeysphere to translate my ssh key into gpg key and somehow write this translated gpg key into Yubikey (via keytocard command of gpg).
But after all these done. I find that the fingerprint of my ssh key is changed, this is confirmed by following command:
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
$ ssh-add -l
And the fact that the fingerprint changed makes using my current ssh key meaningless -- I still need to edit authorized_keys everywhere to make the "new public key" work.
So is there any other way which can write my old ssh key into Yubikey and keep the old key's fingerprint?

How to extract 4096 ssh key format from existing 2048 ssh key in window 10

How to extract or get the 4096 ssh key format from existing 2048 ssh key in window 10.
As i am want to use one web development tools, it requires only 4096 ssh key format, if i have generated new ssh key then old environments and tools won't work so i don't want to break current system workflow.
Is there any way to generate new 4096 ssh key without overwrite the existing ssh key?
or
Can we maintain multiple ssh key in our system?
Please help us.
I found the answers. We can maintain multiple ssh keys in our system.
While generating the ssh key, we have to give unique key name which shouldn't be old key name. We can maintain separate folder for new ssh keys.
PS : Please take backup of existing ssh keys available in ".ssh/" folder before generate new keys.
This command is used to generate ssh key : ssh-keygen -b 4096

Definition of SSH identity

I'm reading through https://linux.die.net/man/5/ssh_config , trying to get a better understanding of the ssh process and options. with reference to the
IdentitiesOnly eg(`IdentitiesOnly=yes` )
is the 'Identity' referring to a public-private key pair and excluding password based ssh authentication? what is being excluded by 'Only'?
is the 'Identity' referring to a public-private key pair and exclusing password based ssh authentication?
It is clearly explained in the manual pages. It means that only the private keys listed in the configuration file (option to list PK is called IdentityFile). It does not modify the behaviour for the password authentication, as you can simply verify:
$ ssh -o IdentitiesOnly=yes localhost
jakuje#localhost's password:
what is being excluded by 'Only'?
It is just the reference to already mentioned IdentityFile and saying that it should not use any other keys then the ones specified using the above options. What is excluded are the other keys provided by ssh-agent.

Cannot find id_rsa.pub in the unix server. Can I regenerate it? Id_sra (private key) exists

What I want to do is to copy key to another host.
ssh-copy-id -i ~/.ssh/id_rsa user#host
I get error:
/usr/bin/ssh-copy-id: ERROR: failed to open ID file '[homedir].ssh/id_rsa.pub':
So there is no public key. So where is it? I tried to use command
sudo find / -name id_rsa.pub
but it only found one which I generated experimentally in my test directory. I tried sending the experimental from the test directory, but then it keeps infinitely asking paraphrase and does not send when I keep pasting.
So there is something wrong.
I could regenerate using
ssh-keygen -t rsa
but then it tries to use ~./.ssh directory
and wants to overwrite private id_rsa key. I am afraid this might brake something.
So how do I get my public key file?
Just in case someone else comes here looking for an answer to the OP's question... and to directly answer that question (namely, how can you re-generate the .pub key in a situation where it is missing, and you only have the private key)...
Here is the answer:
Regenerating a .pub key from the private key
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
The -y option is the command instructing ssh-keygen to output your public key.
This will re-generate the .pub part of the pair. Just as the OP pointed out, if you simply generate a new pair, and replace the old private key, you will lose access to whatever servers you have already provided your public key to. Sure, you can go through the process of providing a new public key to those servers, but why go through that hassle if it can be easily avoided?
RSA keys work on pairs. You can generate ssh private and public keys any number of times..it does not break anything. It simply replaces the old one with a newly generated keys. This only requires you to copy the newly generated public key id_rsa.pub to your remote machine's ~/.ssh/authorized_keys file in order for you to access secure shell using rsa keys.
So generate new rsa keys on your home's .ssh directory (your old keys are replaced by new ones) and copy to the remote host's .ssh directory
cd /home/<your_username>/.ssh
ssh-keygen -t rsa
scp ~/.ssh/id_rsa.pub remote_username#host:~/.ssh/authorized_keys
then
ssh remote_username#host
Keep passphrase empty while generating your new keys unless you want to enter passphrase every time you try to make a ssh connection.
NOTE: you need to append your public key to authorized_keys file in remote host's ~/.ssh directory if it already exists holding other client's public keys.

What is the difference between ssh-add and ssh-agent?

I'm following the ssh github tutorial, and I'm confused about the difference between ssh-add and ssh-agent. The tutorial seems to imply that I will need to enter a password every time I want to use my ssh key, and to stop that, I need to give the key somehow to the ssh agent. However, I am not prompted to enter a password until I run the command ssh-add, and according to the man page
ssh-add adds RSA or DSA identities to the authentication agent, ssh-agent(1).
If the point of an agent is to not have to use a password, why is the agent asking me to create a password?
Here's the code I'm running and my understanding of ssh-add:
ssh-keygen -t rsa -C "your_email#example.com"
# Creates a new ssh key, using the provided email as a label
# Generating public/private rsa key pair. Public key is like a padlock, private key is like a padlock key.
# Enter file in which to save the key (/Users/you/.ssh/id_rsa): [Press enter]
#This is like taking the padlock and they key together and sticking them in a box.
#-------------------------------
ssh-add id_rsa
#ssh-add is like sticking your key in a safe. Instead of putting your keys on a hook in your house, where anyone can pick it up, you put your key in a safe protected by a password.
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type passphrase again]
#The safe now has a password.
What is the relationship between ssh-add and ssh-agent? Am I right in assuming the following:
that doing an SSH keygen without an add is sort of like leaving your keys out in your apartment, where anyone you let into your apartment can pick them up, make a copy, and get to all of your stuff?
Doing an SSH keygen with an add is like sticking your keys in a safe with a combination, so that even if you let somebody into your apartment, they still can't get to all of your keys?
That ssh-add is an action taken by a program called ssh-agent?
Assume that you have several Linux machines to manage and you setup ssh login by creating a public private key pair issuing ssh-keygen -t rsa. Assume that you didnt set a passphrase while creating your keys. Now you will copy your public key to all the machines where you want to login by issuing ssh-copy-id -i ~/.ssh/id_rsa.pub user#somehost. Now, with your keys, you will be able to login to all the machines where you copied your keys.
Since you didnt create a passphrase, anyone who gets your private key can login to all the machines where your public key is added. Assume you let your machine to be used by some of your friends and one of him is evil-minded. To prevent this, you set a passphrase to your private key. So whenever you login using your key, you will be prompted for the passphrase and so only you(who knows the passphrase) can login.
But it becomes cumbersome to type the passphrase whenever you login to other machines. So you can give your passphrase to ssh-agent once and it will use it whenever required. You use ssh-add to give your keys to ssh-agent. You can always check what all keys your ssh-agent is managing by issuing ssh-add -l.