gpg-agent only checks for smartcard not for local keys

Niibe Yutaka gniibe at
Mon Nov 4 11:15:29 CET 2019


Horst Skatmus wrote:
> The only problem I have is that the gpg-agent always checks for the
> smartcard even when keys are not stored on a smartcard.

When gpg-agent works as ssh-agent, it always checks (possible)
authentication key on smartcard, so that the authenticaiton key (when
available) can be used.

Specifically, SSH client askes ssh-agent about available keys by
REQUEST_IDENTITIES command.  When gpg-agent (as ssh-agent) gets
REQUEST_IDENTITIES command, it checks scdaemon about possible
authentication keys.  Let's call those key(s) "active smartcard key(s)".
There are also keys recorded under ~/.gnupg/private-keys-v1.d/.  Let's
call those keys "recorded keys".  Those "recorded keys" can be private
keys on disk, or keys on smartcard (reference to smartcard, not private
key secret).  For response to REQUEST_IDENTITIES command, gpg-agent
answers SSH "active smartcard key(s)" + "recorded keys".
(Here, "recorded keys" may include "active smartcard key(s)".)

After that, SSH server + client negotiate about keys and select a key.
Then, SSH client asks gpg-agent (as ssh-agent) a challenge-response
authentication by signing with SIGN_REQUEST command.

> I can switch off the scdaemon via --disable-scdaemon but this has no
> effect.

With --disable-scdaemon, gpg-agent should stop accessing scdaemon.
Do you reload setting (gpgconf --reload gpg-agent) after changing
your gpg-agent.conf?

More information about the Gnupg-users mailing list