agent-transfer - copy a secret key from gpg-agent to ssh-agent
agent-transfer [options] KEYGRIP [COMMENT]
agent-transfer extracts a secret key from a modern version of GnuPG agent and sends it to the running SSH agent. This is useful for people whose keys are managed in the long-term by GnuPG’s gpg-agent, but who prefer the semantics of OpenSSH’s ssh-agent for regular use.
agent-transfer was written as part of the monkeysphere project.
The KEYGRIP should be specified as a sequence of 20 hexadecimal characters. If you aren’t sure of the keygrip, you can inspect the output of:
gpg −−with−keygrip −−list−secret−keys
The COMMENT is optional, and will be stored alongside the key in ssh-agent. It must not start with a −, to avoid being mistaken for an option.
agent-transfer also accepts options that would normally be passed to ssh−add(1) to constrain the use of the transferred key:
Indicates that added identities should be subject to confirmation before being used for authentication.
Indicates that the key should have a lifetime of SECONDS in the running ssh−agent.
The socket where gpg−agent is listening. This is the "standard socket" for modern GnuPG.
The GnuPG home directory, where the standard socket for gpg−agent lives. If this is not set, it is assumed to be ~/.gnupg.
Specifies the location where the running ssh-agent is present.
Several other environment variables are also passed in some form to the gpg−agent to help it figure out how to run a sensible pinentry, including GPG_TTY, TERM, DISPLAY, XAUTHORITY, GTK_IM_MODULE, DBUS_SESSION_BUS_ADDRESS, and LANG.
agent-transfer can only work with RSA and Ed25519 keys. Support for other key types not yet implemented. Patches welcome!
Written by: Daniel Kahn Gillmor <[email protected]>
monkeysphere(7), ssh(1), ssh−add(1), ssh−agent(1), gpg(1) gpg−agent(1),