gpg-agent does not authenticate ssh connections

NIIBE Yutaka gniibe at
Fri Feb 20 02:30:31 CET 2015

On 02/09/2015 02:41 AM, Rainer Keller wrote:
> In .gnupg/sshcontrol I have added the correct keygrip and "ssh-add -l" shows 
> the right key:
>> 4096 XX:XX:XX cardno:XXXX (RSA)

Well, you don't need to add this manually, for your smartcard.

>> gpg-agent smartcard signing failed: Bad PIN
> It sounds like the PIN entered was wrong, but I am sure it is correct.
> The PIN retry counters are still at 3.

One possibility is that it's gpg-agent which says "Bad PIN".  The
gpg-agent does its own check for pin length.  OpenPGPcard
specification requires minimum length of user's PIN to be 6.
gpg-agent checks if it's at least 6.  If not, it returns "Bad PIN"

It is not possible for OpenPGP card to have user's PIN with length of
less than 6.  Your user's PIN would be the factory default still.

More information about the Gnupg-users mailing list