Identifying one of multiple authentication subkeys

[Peter Lebbing]

On 17/03/2019 13:17, Brian Exelbierd wrote:
> Having done no code examination, I feel like this is where the
> identity information for subkeys comes into play.  I presume the SSH
> request would pass the value of the identity file to the gpg-agent.
> This is probably 100% wrong though/

30% wrong? It actually is "the wire encoding of the public key", so key
material rather than a filename. Your comment made a click in my mind
though. I've solved it.

Put this in .ssh/config:
--8<---------------cut here---------------start------------->8---
Host your-server.com
IdentitiesOnly yes
IdentityFile ~/.ssh/testkey7.pub
--8<---------------cut here---------------end--------------->8---

Where testkey7.pub is a file containing the *public* key. Usually you
would use a private key here, but OpenSSH is just as happy with a public
key as long as the agent can do the private operation.

> Also, as an aside.  It appears that subkeys do not prompt for the key
> passphrase.  Instead I just get an allow/deny dialog or no dialog at
> all if I don't force confirm.

The passphrase is cached. The duration can be controlled through
default-cache-ttl-ssh and max-cache-ttl-ssh in ~/.gnupg/gpg-agent.conf
or on a per-key basis in sshcontrol. It is possible to turn off caching
for SSH keys completely. See "man gpg-agent".

> Distracting myself with GPG/SSH while doing taxes is a bad idea and
> leads to bad internet hygiene :D

Hehehe :-D

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190317/7c455c7e/attachment.sig>