gpg-agent does not authenticate ssh connections
Werner Koch
wk at gnupg.org
Tue Feb 17 14:58:24 CET 2015
On Mon, 16 Feb 2015 20:40, mail at rainerkeller.de said:
> For me it looks like the authentication private key uses the encryption pin
> (Auth ID 0x02) while it should use the signature pin.
> It tried to set the encryption pin via "pkcs15-tool --auth-id 02
[ You should not use this tool for the OpenPGP card. That card is not
pkcs#15 and Olaf's implementaion for the OpenPGP card is thus quite
limited. Use "gpg --card-status" or watch the scdameon log. ]
> Is there any way to change the authentication key to use the signature pin?
> On mu Gnupg card is only the autentication key present, all other keys are
> currently empty. May this happen due to the empty slots and may be
Gpg-agent uses the smartcard key which is identified by the $AUTHKEYID
attribute:
$ gpg-connect-agent 'scd getattr $AUTHKEYID' /bye
S $AUTHKEYID OPENPGP.3
OK
Thus for this card the key with the id OPENPGP.3 is to be used for ssh
access. This is the standard for OpenPGP cards. Another example
$ gpg-connect-agent 'scd getattr $AUTHKEYID' /bye
S $AUTHKEYID NKS-NKS3.4531
OK
This is an old Telesec card and it shows the keyid to be used with this
card.
Now, how is this attribute assigned? It is simply a matter of the
driver. For app-openpgp.c it is hardwired to "OPENPGP.3", the app-nks.c
driver hardwires to "NKS-NKS3.4531", and the generic app-p15.c driver
uses the first listed key capabable of signing.
If there is no current card with an $AUTHKEYID attribute, gpg-agent
won't add the currently inserted card to the list of supported keys.
Thus only the keys listed in ~/.gnupg/sshcontrol will be used. After
gpg-agent has seen the card the first time it creates a stub key in its
keystore to record the serial number. You would simply put the keygrip
(which is also the basename of the stub key file) into sshcontrol and
things should work as expected - of course you need to make sure that
the key is capable of signing.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list