Stephan, thanks for helping out! I think I can improve a bit on one part of it, though.
On 24/11/16 17:51, Stephan Beck wrote: > A2) Export the secret subkey you'd like to use for ssh authentication > purposes and pipe it through openpgp2ssh > gpg2 --export-secret-subkeys \ > --export-options export-reset-subkey-passwd [keyID!] | \ > openpgp2ssh [keyID] > gpg-auth-keyfile > > A3) Set correct permissions > > chmod 0600 gpg-auth-keyfile This leaves open a window where the file with your private key might be world-readable. The thing I usually do is this: $ mkdir safe $ chmod 700 safe $ cd safe $ [... do your stuff ...] $ cd .. $ rm -rf safe The directory permissions prevent anyone from getting a handle for your file. Even if the file is world-readable, nobody can get towards the file. This is not true if you are on an NFS share, though! The thing I would expect to actually be in the textbooks is a variation of: $ OLD_UMASK=$(umask) $ umask 0077 $ [... do your stuff ...] $ umask $OLD_UMASK The umask 0077 will create any new files with all access rights cleared for group and world. This is your A2 and A3 folded into one, safely, without a gap. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
