Yubikey, GnuPG 2.1 Modern, and SSH on OS X

the2nd at otpme.org the2nd at otpme.org
Sat Jan 16 02:28:17 CET 2016


I just want to point out that one may want to add the keygrip to the 
sshcontrol file along with the "confirm" option to get asked by pinentry 
each time ssh requests gpg-agent to sign an ssh challenge (e.g. a ssh 
login). This is at least a useful option if you login to a remote host 
with agent forwarding enabled. I know that there are more secure 
alternatives to agent forwarding but i guess it is still used because of 
its simplicity. I also use it from time to time *shame*

But thats the only reason in know why one would add it to sshcontrol.

Regards
the2nd

On 2016-01-16 00:47, Glenn Rempe wrote:
> Thanks Peter, I was not aware of that (and it certainly explains the
> double entry in ssh-add -l.
> 
> btw, Werner was not writing that response to me. It was just pointed
> out to me, so yes it was
> probably not smart card specific I would guess. I'll update the blog
> post to reflect that we
> probably do not need to modify sshcontrol for use with Yubikey.
> 
> Back to the main issue I am having. I followed the instructions to
> output a verbose scdaemon log
> which I was exercising this issue.  Here is a gist with the commands
> I was running and the resulting
> logfile.
> 
> https://gist.github.com/grempe/e143796b8f399f5fa391 [5]
> 
> Perhaps NIIBE Yutaka or someone else more knowledgable than I can
> take a look and 
> get us closer to resolution. :-)
> 
> Thanks for everyone who is helping.
> 
> On Fri, Jan 15, 2016 at 3:08 PM Peter Lebbing
> <peter at digitalbrains.com> wrote:
> 
>> On 15/01/16 21:17, Glenn Rempe wrote:
>>> I added it at the suggestion of Werner in this post:
>>> 
>>> 
>> https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
>> [1]
>>> 
>>> And these blog posts:
>>> http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
>> [2]
>>> 
>> http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
>> [3]
>>> 
>>> Is this suggestion outdated?
>> 
>> No, but I'm fairly sure Werner did not realise you were using a
>> smartcard when
>> he wrote that. Obviously, I can't look into the man's mind, but
>> that's my guess.
>> 
>> For regular, on-disk keys, it is necessary to add the keygrip to
>> sshcontrol. For
>> smartcards, it's automatically added when the smartcard is
>> inserted. I guess it
>> fits with automatically added secret key stubs when the smartcard
>> is inserted
>> (to use a smartcard on a fresh PC, import your own public key,
>> insert your
>> smartcard, and you're done).
>> 
>> HTH,
>> 
>> Peter.
>> 
>> --
>> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
>> You can send me encrypted mail if you want some privacy.
>> My key is available at
>> <http://digitalbrains.com/2012/openpgp-key-peter [4]>
> 
> 
> Links:
> ------
> [1] https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> [2] http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> [3] http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
> [4] http://digitalbrains.com/2012/openpgp-key-peter
> [5] https://gist.github.com/grempe/e143796b8f399f5fa391
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



More information about the Gnupg-users mailing list