PGP Authentication in Tectia

Pretty Good Privacy (PGP) is another security product employing public-key authentication. [1.6.2] PGP keys and SSH keys are implemented differently and aren't interchangeable, however, Tectia can perform authentication by PGP key, following the OpenPGP standard.^[101] Yes, you can use your favorite PGP key to prove your identity to a Tectia server (as long as the key file is OpenPGP-compatible; some PGP keys, especially those produced by older software versions, aren't). At press time, this feature is only sketchily documented. Here's how to make it work.

First, you need Tectia installed on both the client and server machines. Also, both implementations must be compiled with PGP support included, using the compile-time flag --with-pgp. [4.3.5.7]

On the client machine, you need to make your PGP secret key ring and the desired secret key for authentication available to Tectia clients. Here's how:

1. Copy your PGP secret key ring to your account's Tectia directory, ~/.ssh2. Suppose it is called secring.pgp.

2. In an identification file, either ~/.ssh2/identification or another of your choice, indicate the secret key ring with the keyword PgpSecretKeyFile:

       # Tectia
       PgpSecretKeyFile secring.pgp

3. Identify the PGP key you wish to use for authentication. This may be done with any of three keywords:

   • To identify the key by name, use IdPgpKeyName:

         # Tectia
         IdPgpKeyName mykey

   • To identify the key by its PGP fingerprint, use IdPgpKeyFingerprint:

         # Tectia
         IdPgpKeyFingerprint 48 B5 EA 28 80 5E 29 4D 03 33 7D 17 5E 2E CD 20

   • To identify the key by its key ID, use IdPgpKeyId:

         # Tectia
         IdPgpKeyId 0xD914738D

For IdPgpKeyId, the leading 0x is necessary, indicating that the value is in hexadecimal. You can give the value in decimal instead, without the leading 0x, but since PGP displays the value in hex already, it's unlikely you'd want to do this.

On the server machine, you need to make your PGP public-key ring and the desired public key for authentication available to the Tectia server:

1. Copy your public-key ring from the client machine to the server machine. (Note that this is a key ring, not a lone public key.) Place the ring into your ~/.ssh2 directory on the server. Suppose it is called pubring.pgp.

2. In your authorization file, ~/.ssh2/authorization, identify the public-key ring with the keyword PgpPublicKeyFile:

       # Tectia
       PgpPublicKeyFile pubring.pgp

3. Identify the public key by name, fingerprint, or key ID, as in the client's identification file. The relevant keywords are slightly different: PgpKeyName, PgpKeyFingerprint, and PgpKeyId, respectively. (The keywords for the identification file begin with "Id".)

       # Tectia: use any ONE of these
       PgpKeyName mykey
       PgpKeyFingerprint 48 B5 EA 28 80 5E 29 4D 03 33 7D 17 5E 2E CD 20
       PgpKeyId 0xD914738D

You are done! From the client, initiate a Tectia SSH session. Suppose you create an alternative identification file to use PGP authentication, called ~/.ssh2/idpgp, containing your PgpSecretKeyFile and other lines. Use the -i flag to indicate this file, and initiate a connection:

    # Tectia
    $ ssh -i idpgp server.example.com

If everything is set up properly, you are prompted for your PGP passphrase:

    Passphrase for pgp key "mykey":

Enter your PGP passphrase, and authentication should succeed.

---

^[101] According to SSH Communications Security, PGP authentication in Tectia is not officially supported, nor is any other feature that is enabled by recompiling the source code.