sshcontrol, confirm flag and smartcards

Justus Winter justus at
Mon Oct 10 12:47:09 CEST 2016


Filippo Valsorda <ml at> writes:
> I'm using a smartcard to hold my SSH key. Everything is functional out
> of the box. From the man page:
>> Note that keys available
>> through a OpenPGP smartcard in the active smartcard reader are
>> implicitly added to this list; i.e. there is no need to list them.
> However, I want to enable the "confirm" flag. So I added a line with the
> keygrip to sshcontrol.

I believe you can configure your smartcard to require a confirmation,
not sure though.

> Now I see two keys over the ssh-agent with identical fingerprints (so I
> didn't get the keygrip wrong):
> ssh-add -l
> 2048 SHA256:[REDACTED] cardno:[REDACTED] (RSA)
> 2048 SHA256:[REDACTED] (none) (RSA)
> Which gets annoying because all operations are attempted twice (for
> example if authentication fails), and I suspect it also allows a
> "confirm" bypass.
> I suspect gnupg should deduplicate them automatically.

Thanks for reporting.  I created a bug report for this issue:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20161010/c2c65467/attachment.sig>

More information about the Gnupg-devel mailing list