sshcontrol, confirm flag and smartcards

Filippo Valsorda ml at
Fri Oct 7 17:48:19 CEST 2016


I'm using a smartcard to hold my SSH key. Everything is functional out
of the box. From the man page:

> Note that keys available
> through a OpenPGP smartcard in the active smartcard reader are
> implicitly added to this list; i.e. there is no need to list them.

However, I want to enable the "confirm" flag. So I added a line with the
keygrip to sshcontrol.

Now I see two keys over the ssh-agent with identical fingerprints (so I
didn't get the keygrip wrong):

ssh-add -l
2048 SHA256:[REDACTED] cardno:[REDACTED] (RSA)
2048 SHA256:[REDACTED] (none) (RSA)

Which gets annoying because all operations are attempted twice (for
example if authentication fails), and I suspect it also allows a
"confirm" bypass.

I suspect gnupg should deduplicate them automatically.

I'm on gpg (GnuPG) 2.1.15 on OS X.


[Please keep me CC'd]

More information about the Gnupg-devel mailing list