"gpg --card-edit" with multiple card readers (Yubikey)

Juanjo villapla+gnupg-users at uji.es
Mon Jul 10 10:48:07 CEST 2023

On Fri, Jul 7, 2023 at 2:54 PM Werner Koch <wk at gnupg.org> wrote:
> On Fri,  7 Jul 2023 14:22, Juanjo said:
> > This works fine with a single Yubikey, but we wanted to have more than
> > one connected at the same time in order to batch-configure them and
> > even to try to use multiple SSH key authentication in specific target
> Most of the time I am using several Yubikeys and other smardcards.  Some
> even remotely.  For example I use an SSH connection with socket
> forwarding to out build server.  Over that connection I provide access
> to an Authenticode token, my release key and ssh keys on tokens.
> I should eventually describe the environment.  As a starter:
> "no-autostart" in common.conf on the build box, gpg-card with "verify"
> to unlock keys on the desktop for remote use by the build process
> (Authenticode), and some keywords in the private key files (Use-for-p11,
> Use-for-ssh).
> To create keys, use gpg-card which can easily be scripted.  Examples:
>    $ " list D2760001240100000006154932830000  \
>      -- yubikey disable nfc all \
>      -- yubikey disable usb otp u2f piv oath fido2 \
>      -- yubikey list
>    OTP          no     no
>    U2F          no     no
>    OPGP         yes    no
>    PIV          no     no
>    OATH         no     no
>    FIDO2        no     no

OK, we are currently using Yubico "ykman" to do this job, it's nice
that "gpg-card" can configure this natively.

There are other setting managed via "ykman" not provided by "gpg-card" :
* The number of PIN retry attempts: ykman openpgp access set-retries
* The touch policy: ykman openpgp keys set-touch

>    $ gpg-card
>    [...]
>    gpg/card> help generate
>    GENERATE [--force] [--algo=ALGO{+ALGO2}] KEYREF
>    Create a new key on a card.
>    Use --force to overwrite an existing key.
>    Use "help" for ALGO to get a list of known algorithms.
>    For OpenPGP cards several algos may be given.
>    Note that the OpenPGP key generation is done interactively
>    unless a single ALGO or KEYREF are given.
>    [Supported by: OpenPGP, PIV]

According to gpg-card [1], only the LIST command accepts parameter [n]
to select a specific Yubikey (via card number --provided by "gpg-card
list --cards"--- or serial number).

But playing a little more with gpg-card (still version 2.3.3) I have
noticed that the LIST command "changes" the default card for the
following commands in the same invocations, so I can achieve my
initial goal:

  $ gpg-card list D2760001240100000006154932830000 -- generate
  $ gpg-card list D2760001240100000006154932830000 -- passwd pinref

where "pinref" is the numeric menu entry you use in interactive mode:

  $ gpg-card
  Reader ...........: Yubico YubiKey CCID 02 00
  Card type ........: yubikey
  Card firmware ....: 5.4.3

  gpg/card> passwd
  OpenPGP card no. XX YY ZZZ detected

  1 - change the PIN
  2 - unblock and set new a PIN
  3 - change the Admin PIN
  4 - set the Reset Code
  Q - quit

  Your selection? Q
  gpg/card> Q


Unfortunately, "gpg-card" doesn't provide the "key-attr" command we
used to change from default rsa2048 to rsa4096.

Werner, thanks for your help, but I think we are going to use the
gnupg version shipped with AlmaLinux 9 and configure the Yubikey one
by one.


> Salam-Shalom,
>    Werner
> --
> The pioneers of a warless world are the youth that
> refuse military service.             - A. Einstein

[1] https://gnupg.org/documentation/manuals/gnupg24/gpg-card.1.html

More information about the Gnupg-users mailing list