MonkeySphere can't deal with passphrase-locked primary keys
At the moment, the only tool we have to export passphrase-locked secret keys from the GPG keyring is gpg itself (and gpg2, which has roughly the same behavior).
As a result, we have the seckey2sshagent hack, which is unfriendly and awkward to use.
Ideally, openpgp2ssh would be able to convert passphrase-locked secret keys into clean subkeys. However, i've tried to do this via GnuTLS, and that library is not ready for this.
OpenCDK, which is the component of GnuTLS which reads OpenPGP-style keys, cannot cope with encrypted secret key material. I have had some success in getting GnuTLS's OpenCDK to accept the existence of encrypted secret key packets, i learned that OpenCDK as included in GnuTLS is incapable of dealing with the encrypted packets themselves.
Some possible resolutions:
If we can assume that the passphrase-encrypted key we want to use is actually a subkey, and if we could fix GnuTLS to ignore the use of the "gnu-dummy S2K" produced by gpg --export-secret-subkeys for the primary key, then something like the following script should actually work for reasonable values of $KEYID:
TMPDIR=$(mktemp -d) umask 077 mkfifo "$TMPDIR/passphrase" kname="MonkeySphere Key $KEYID" mkfifo "$TMPDIR/$kname" ssh-askpass "Please enter the passphrase for MonkeySphere key $KEYID" >"$TMPDIR/passphrase" & gpg --passphrase-fd 3 3<"$TMPDIR/passphrase" \ --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \ --export-secret-subkeys "$KEYID"\! | openpgp2ssh "$KEYID" > "$TMPDIR/$kname" & (cd "$TMPDIR" && ssh-add -c "$kname") rm -rf "$TMPDIR"
(from redmine: created on 2008-12-28)