Passphrase cache w/Yubikey varies: sign vs auth
Steve McKown
rsmckown at gmail.com
Mon Apr 10 06:56:09 CEST 2017
On 04/09/2017 08:49 PM, NIIBE Yutaka wrote:
> Steve McKown <rsmckown at gmail.com> wrote:
>> Can someone explain why ssh after sign asks for the passphrase again,
>> and what I might be able to do to avoid this condition? It's not a big
>> deal, but I do wonder if it suggests a misconfiguration on my part.
>
> It is not misconfiguration. It is expected behavior.
>
> Please note that there is no passphrase cache on host side for
> smartcard. It is the OpenPGP card which has the "authenticated" status.
> Once it gets authenticated by PIN, a user can ask crypto operations.
>
> And there are two different authenticated statuses for a user. We call
> them CHV1 and CHV2, where CHV means Card Holder Verification. One for
> signing (CHV1) and another for others (= decryption and authentication,
> CHV2).
>
> For OpenPGP card itself, CHV1 and CHV2 are independent (for v2 and
> later).
>
> By using GnuPG, they are not independent. When a user authenticate for
> CHV2, CHV1 is also authenticated automatically (provided the flag of the
> card for "Signature PIN" is "not forced"). When a user authenticate for
> CHV1, CHV2 is not affected.
>
> I agree this is a bit confusing. I don't know why it is so. Perhaps,
> we had some compatibility issue with older OpenPGP card.
>
> I don't think we have an easy way to avoid being asked PIN for SSH after
> signing.
>
Thanks for the clear and informative answer. Much appreciated!
More information about the Gnupg-users
mailing list