Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

Daniel Haid d.haid at gogi.tv
Thu Jun 25 11:24:36 CEST 2020


 > I've successfully set it up, now whenever I restart gpg-agent (e.g. on
 > reboot), it will ask for the passphrase twice, once for the GPG keys,
 > once for the SSH keys, even though they are the same passphrases.

I need a solution for this same problem.

 > You may now wonder why this does not happen when you decrypt a mail,
 > reply to it and sign the reply. [...] gpg-agent knows about it and
 > tries the last passphrase used for any of the the subkeys of a key.

However, even if the primary key has capabilities [SCA] and one
subkey has capability [E], if I use the subkey for encryption
first and then try to use the primary key for SSH I am asked
for the passphrase again. Is this expected?

 > No, there is no way to configure an extra hack to also test a
 > passphrase for an ssh key.

Do you not think this could be useful? Gnupg uses the same passphrase
for the primary key and all subkeys by default, so this should be
a common setup?

 > I thought of one way, but really is a hack and it's predicated on the
 > standard key access being invoked first.  If SSH always comes first
 > then it won't work.

Could you tell me what your hack is?

My current solution is use one primary key with [SCA] capabilities
and one [E] subkey. In my scripts, instead of
    gpg --decrypt [...] && ssh [...]
I now use
    gpg -s </dev/null >/dev/null && gpg --decrypt [...] && ssh [...]
which asks for my passphrase once for signing and then uses it
for decrypting and for ssh.

Do you know any clean way to do this?

Note that I only need this for scripts that do multiple things
simultaneously, so I *can* run arbitrary commands first.

It would be perfectly fine for me to send something like
    "ask for only one passphrase and try to unlock KEYGRIP1
    and KEYGRIP2 with it"
to the agent. (Or, even better
    "if the passphrase for KEYGRIP1 or KEYGRIP2 is cached,
    try to unlock the other one with that. Otherwise ask for
    one passphrase and unlock both".)
Is such a thing possible?

Regards,
DH



More information about the Gnupg-users mailing list