平衡点

_ GPGで複数の認証鍵がある場合の --export-ssh-key

某所向けに ed25519 の鍵を追加したのだけれど, 単に --export-ssh-key を唱えただけだと新しく追加した鍵の SSH 公開鍵しか出力されずに困ったり.

man を紐解くと, ちゃんと

--export-ssh-key
       This command is used to export a key in the OpenSSH public key format.
       It requires the specification of one key by the usual means and exports
       the latest valid subkey which has an authentication capability to
       STDOUT or to the file given with option --output.  That output can
       directly be added to ssh's `authorized_key' file.

       By specifying the key to export using a key ID or a fingerprint
       suffixed with an exclamation mark (!), a specific subkey or the primary
       key can be exported.  This does not even require that the key has the
       authentication capability flag set.

って書いてあった.

というわけで, 例えば

% gpg --list-keys 0x9394F354891D7E07
pub   rsa4096/0x9394F354891D7E07 2009-09-03 [SC]
      Key fingerprint = 66A4 EA70 4FE2 4055 8D6A  C2E6 9394 F354 891D 7E07
uid                   [ultimate] Youhei SASAKI <uwabami@gfd-dennou.org>
uid                   [ultimate] Youhei SASAKI (JunkHub) <uwabami@junkhub.org>
uid                   [ultimate] Youhei SASAKI (Debian JP Project) <uwabami@debian.or.jp>
sub   rsa4096/0xB41AF9579DBFD29F 2009-09-03 [E]
sub   rsa4096/0xBC8C7730B7DB0213 2016-12-12 [A]
sub   ed25519/0xC317F1D44E1D42F5 2023-11-29 [A]

という場合には

% gpg --export-ssh-key 0xBC8C7730B7DB0213!
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMXEKNZcb/ ... 

とか

% gpg --export-ssh-key 0xC317F1D44E1D42F5!
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsCFjPi+CvZzW...

として export したい鍵の指紋! を指定すれば良い, ということでした.