gpg-agent asks for ssh passphrase, although the private key has no passphras set

Werner Koch wk at
Tue Jun 28 09:06:13 CEST 2011

On Mon, 27 Jun 2011 19:36, gitter at said:

> I already use these long caching options for ssh. Actually what I want
> is not to enter a passphrase for my ssh key. I trust the applications
> that run on my system, so I do not want any passphrase.

With the current stable version of GnuPG it is a bit complicated:  You
need to figure out the "keygrip" of the key.  With GnuPG-2.1 it would be
a simple
  $ gpg2 -K --with-keygrip alpha at
  sec   1024D/68697734 1999-03-08
        Keygrip = 76F7E2B35832976B50A27A282D9B87E44577EB66
  uid                  Alfa Test (demo key) <alfa at>
  uid                  Alpha Test (demo key) <alpha at>
  uid                  Alice (demo key)
  ssb   1024g/46A871F8 1999-03-08
        Keygrip = A0747D5F9425E6664F4FFBEED20FBCA79FDED2BD
Which shows the keygrip for each key.  Now if you know which key has
been converted to ssh, you do this:

 gpg-connect-agent 'passwd 76F7E2B35832976B50A27A282D9B87E44577EB66' /bye

and follow the prompt:  Enter the old passphrase and then enter a
empty passphrase.  The last popup will ask you whether you really want
an unprotected key and you confirm that.

With any version of GnuPG you need to figure out the key by looking at
the file "~/.gnupg/sshcontrol".  This file has a line for each ssh key;
ssh-add also adds a comment with the date the key was added to GnuPG.
You will immediately spot the keygrip.  Use this as described above.
Note that for keys stored on a smartcard there will be no entry in the
sshcontrol file.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list