SSH agent prompts for all passphrases (was: Deleting SSH key(s) from agent)

Peter Lebbing peter at digitalbrains.com
Tue Aug 23 11:29:07 CEST 2016 

On 23/08/16 10:46, Karol Babioch wrote:
> However, it is annoying to be prompted for passphrases for each key in
> the keyring. This is even true for cases in which the public key of my
> smartcard is the first and only entry in authorized_keys on a SSH server.

Hmmmmm. I use both a smartcard and an encrypted on-disk key, and am
never prompted for a passphrase for a key that isn't listed in
authorized_keys.

You can see a lot of the detail with:

$ ssh -vvv user at host

I can see how the client considers keys, offers them, and only when the
server indicates acceptance will it access the private key and prompt
for a passphrase.

See here how it first asks the server whether it would accept the key
the agent identifies by "/home/peter/.ssh/id_rsa", and the server
declines (that's not very explicit in the messages). I'm not prompted
for the passphrase for that key. The client then offers my smartcard,
and the server accepts. Only then am I prompted for the PIN.

--------------------8<----------------->8--------------------
[...]
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/peter/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: cardno:000500000241
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp
27:f1:31:87:c8:05:5e:30:32:04:61:83:af:f5:8d:a1
debug3: sign_and_send_pubkey: RSA
27:f1:31:87:c8:05:5e:30:32:04:61:83:af:f5:8d:a1
[...]
--------------------8<----------------->8--------------------

Are both the server and the client in your case OpenSSH? Do you have
non-standard options set relating to auth perhaps?

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list