Passphrase cache w/Yubikey varies: sign vs auth

[NIIBE Yutaka]

Steve McKown <rsmckown at gmail.com> wrote:
> Can someone explain why ssh after sign asks for the passphrase again,
> and what I might be able to do to avoid this condition?  It's not a big
> deal, but I do wonder if it suggests a misconfiguration on my part.

It is not misconfiguration.  It is expected behavior.

Please note that there is no passphrase cache on host side for
smartcard.  It is the OpenPGP card which has the "authenticated" status.
Once it gets authenticated by PIN, a user can ask crypto operations.

And there are two different authenticated statuses for a user.  We call
them CHV1 and CHV2, where CHV means Card Holder Verification.  One for
signing (CHV1) and another for others (= decryption and authentication,
CHV2).

For OpenPGP card itself, CHV1 and CHV2 are independent (for v2 and
later).

By using GnuPG, they are not independent.  When a user authenticate for
CHV2, CHV1 is also authenticated automatically (provided the flag of the
card for "Signature PIN" is "not forced").  When a user authenticate for
CHV1, CHV2 is not affected.

I agree this is a bit confusing.  I don't know why it is so.  Perhaps,
we had some compatibility issue with older OpenPGP card.

I don't think we have an easy way to avoid being asked PIN for SSH after
signing.
--