Passphrase cache w/Yubikey varies: sign vs auth

Steve McKown rsmckown at gmail.com
Mon Apr 10 06:56:09 CEST 2017


On 04/09/2017 08:49 PM, NIIBE Yutaka wrote:
> Steve McKown <rsmckown at gmail.com> wrote:
>> Can someone explain why ssh after sign asks for the passphrase again,
>> and what I might be able to do to avoid this condition?  It's not a big
>> deal, but I do wonder if it suggests a misconfiguration on my part.
> 
> It is not misconfiguration.  It is expected behavior.
> 
> Please note that there is no passphrase cache on host side for
> smartcard.  It is the OpenPGP card which has the "authenticated" status.
> Once it gets authenticated by PIN, a user can ask crypto operations.
> 
> And there are two different authenticated statuses for a user.  We call
> them CHV1 and CHV2, where CHV means Card Holder Verification.  One for
> signing (CHV1) and another for others (= decryption and authentication,
> CHV2).
> 
> For OpenPGP card itself, CHV1 and CHV2 are independent (for v2 and
> later).
> 
> By using GnuPG, they are not independent.  When a user authenticate for
> CHV2, CHV1 is also authenticated automatically (provided the flag of the
> card for "Signature PIN" is "not forced").  When a user authenticate for
> CHV1, CHV2 is not affected.
> 
> I agree this is a bit confusing.  I don't know why it is so.  Perhaps,
> we had some compatibility issue with older OpenPGP card.
> 
> I don't think we have an easy way to avoid being asked PIN for SSH after
> signing.
> 

Thanks for the clear and informative answer.  Much appreciated!



More information about the Gnupg-users mailing list