Yubikey, GnuPG 2.1 Modern, and SSH on OS X

Glenn Rempe glenn at rempe.us
Fri Jan 15 21:17:13 CET 2016 

On Fri, Jan 15, 2016 at 10:29:13AM +0100, Simon Josefsson wrote:
> Glenn Rempe <glenn at rempe.us> writes:
> 
> > I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey to
> > manage my gpg private keys and I am using that key for SSH auth.  I have it
> > all up and running but I ran into some issues as well so I wrote up a blog
> > post.  I'd appreciate any suggestions for improvement and especially for
> > any ideas for a better fix for the workaround I had to do that I documented
> > at the end of the post.  Maybe this will be of some use to those wanting to
> > use the latest gpg for SSH auth on a Mac with a Yubikey.
> >
> > https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/
> 
> Have you tried killing/restarting scdaemon only, not gpg-agent?
> 
> Try:
> 
> gpgconf --reload scdaemon
> 
> or
> 
> gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye

I am on OS X, and just so you know I have turned off the OS X system
scdaemon per this blog post (I did this before upgrading to GnuPG 2.1):

https://gpgtools.tenderapp.com/discussions/problems/28634-gpg-agent-stops-working-after-osx-upgrade-to-yosemite#comment_35808149

So I am using just the scdaemon embedded with GPG I believe.

I just tried your suggestion to reload the internal scdaemon with
'gpgconf --reload scdaemon' and that also worked just as well as killing
gpg-agent, and probably without some side effects, none of which I've
noticed yet. So that is a step in the right direction, but I still have to
run it every time I remove/reinsert the card and SSH to a remote host
or it fails with a 'Permission denied (publickey)' error. So this seems
like a step in the right direction, but I still have to use ControlPlane
to restart scdaemon on insert/remove events.

> 
> Why do you add the keygrip to the sshcontrol file?  I have never needed
> that step.  For me it uses the right key directly.  Is it because you
> have another (revoked) A subkey?  It sounds somewhat of sub-optimal
> behaviour for gpg-agent's SSH support to use a revoked key instead of
> the non-revoked key.

I do have a revoked Authentication sub-key on my primary key, but I
no longer use it and that is also not why I added the keygrip entry to
sshcontrol file.  I added it at the suggestion of Werner in this post:

https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html

And these blog posts:
http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key

Is this suggestion outdated?

> 
> /Simon



-- 
Glenn Rempe

email             : glenn at rempe.us
voice             : (415) 613-1653
twitter           : @grempe
gpg key id        : 0xA4A288A3BECCAE17
gpg fingerprint   : 497A 6138 963D 6C47 202B  238B A4A2 88A3 BECC AE17

More information about the Gnupg-users mailing list