1

When a gpg smartcard (e.g. yubikey) is inserted and contains an authentication key, the key is automatically enrolled by the gpg-agent. That means the key is usable for any ssh operation without needing to add its keygrip inside the file ~/.gnupg/sshcontrol.

Source: Agent-Configuration documentation (look after the last line of text inside the sshcontrol paragraph)

On a specific computer I would like to disable this default behavior without disabling other features provided by the smartcard. I was hoping to be able to disable the authentication key by prepending a '!' to its keygrip inside the sshcontrol file as described into the Agent-Configuration documentation (look after the before last line of text inside the sshcontrol paragraph) e.g:

!BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 0

But it does not work. With BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB being the keygrip of the authentication key.

Not related to disabling a key, I also tried to enable the confirm flag for the authentication key coming from the smartcard:

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 0 confirm

And it does not work either. I am really wondering if the gpg-agent reads the sshcontrol information for smartcard keys.

Settings of my infrastructure:

  • GnuPG version 2.2.12
  • only RSA 4096 bits keys
Improve this question
2
  • Have you tried reloading GPG agent ie: gpg-connect-agent reloadagent /bye ? See: wiki.archlinux.org/index.php/GnuPG#Reload_the_agent
    – Kate
    Apr 2, 2020 at 13:51
  • I've just tried to be sure. Still the same behavior. In any other cases, gpg-agent reads sshcontrol file again at every ssh query it receives, it would have be strange to need to restart it to take sshcontrol changes into account.
    – djoproject
    Apr 2, 2020 at 14:03

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .