Passphrase cache w/Yubikey varies: sign vs auth

Steve McKown rsmckown at
Sun Apr 9 18:07:17 CEST 2017


I'm using a Yubikey NEO with GnuPG 2.1.11 on Ubuntu 16.04 LTS.
Everything is working fine except that caching of the passphrase works
differently depending upon whether the first operation is sign or
authenticate.  I can show this with two GnuPG operations: sign a file
and ssh key-based login (I'm using gpg-agent.conf enable-ssh-support).

If after inserting the Yubikey I sign first and then ssh second, both
operations ask for the passphrase via pinentry.

  gpg2 --clearsign somefile  # pinentry dialog
  ssh someserver             # pinentry dialog

I'm not sure why the ssh login above asks again for the passphrase.

If after re-inserting the Yubikey I do ssh before sign, the sign uses
the passphrase cached from the previous ssh, as expected:

  ssh someserver             # pinentry dialog
  gpg2 --clearsign somefile  # NO pinentry dialog

It is true that the passphrase entered on first sign is cached, because
if I run two back to back the second doesn't ask.  Again, after
re-inserting the Yubikey:

  gpg2 --clearsign somefile  # pinentry dialog
  gpg2 --clearsign somefile  # NO pinentry dialog

The pinentry dialog for signing includes the text "[sigs done:NNN]" that
is not present for auth or crypt operations.

Can someone explain why ssh after sign asks for the passphrase again,
and what I might be able to do to avoid this condition?  It's not a big
deal, but I do wonder if it suggests a misconfiguration on my part.


More information about the Gnupg-users mailing list