gpg-agent only checks for smartcard not for local keys
gniibe at fsij.org
Mon Nov 4 11:15:29 CET 2019
Horst Skatmus wrote:
> The only problem I have is that the gpg-agent always checks for the
> smartcard even when keys are not stored on a smartcard.
When gpg-agent works as ssh-agent, it always checks (possible)
authentication key on smartcard, so that the authenticaiton key (when
available) can be used.
Specifically, SSH client askes ssh-agent about available keys by
REQUEST_IDENTITIES command. When gpg-agent (as ssh-agent) gets
REQUEST_IDENTITIES command, it checks scdaemon about possible
authentication keys. Let's call those key(s) "active smartcard key(s)".
There are also keys recorded under ~/.gnupg/private-keys-v1.d/. Let's
call those keys "recorded keys". Those "recorded keys" can be private
keys on disk, or keys on smartcard (reference to smartcard, not private
key secret). For response to REQUEST_IDENTITIES command, gpg-agent
answers SSH "active smartcard key(s)" + "recorded keys".
(Here, "recorded keys" may include "active smartcard key(s)".)
After that, SSH server + client negotiate about keys and select a key.
Then, SSH client asks gpg-agent (as ssh-agent) a challenge-response
authentication by signing with SIGN_REQUEST command.
> I can switch off the scdaemon via --disable-scdaemon but this has no
With --disable-scdaemon, gpg-agent should stop accessing scdaemon.
Do you reload setting (gpgconf --reload gpg-agent) after changing
More information about the Gnupg-users