sshcontrol, confirm flag and smartcards
justus at g10code.com
Mon Oct 10 12:47:09 CEST 2016
Filippo Valsorda <ml at filippo.io> writes:
> I'm using a smartcard to hold my SSH key. Everything is functional out
> of the box. From the man page:
>> Note that keys available
>> through a OpenPGP smartcard in the active smartcard reader are
>> implicitly added to this list; i.e. there is no need to list them.
> However, I want to enable the "confirm" flag. So I added a line with the
> keygrip to sshcontrol.
I believe you can configure your smartcard to require a confirmation,
not sure though.
> Now I see two keys over the ssh-agent with identical fingerprints (so I
> didn't get the keygrip wrong):
> ssh-add -l
> 2048 SHA256:[REDACTED] cardno:[REDACTED] (RSA)
> 2048 SHA256:[REDACTED] (none) (RSA)
> Which gets annoying because all operations are attempted twice (for
> example if authentication fails), and I suspect it also allows a
> "confirm" bypass.
> I suspect gnupg should deduplicate them automatically.
Thanks for reporting. I created a bug report for this issue:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 454 bytes
Desc: not available
More information about the Gnupg-devel