Cannot export SSH public key

Felix E. Klee felix.klee at
Tue Nov 28 08:37:55 CET 2023

On Thu, Nov 23, 2023 at 10:17 AM Felix E. Klee <felix.klee at>
> Can you explain why the output of `ssh-add -L` did not change? Also
> why is it not the same as the output from `gpg --export-ssh-key
> yubikey at`?

OK, I may have found the issue:

    $ grep -rl Use-for-ssh ~/.gnupg/private-keys-v1.d/*

That’s the key grip of the master key:

    $ gpg -k --with-keygrip yubikey at
    pub   rsa4096 2023-06-29 [SC]
          Keygrip = 0E67508AC6866D82ABB95E0B53CF5D18DC48A786
    uid           [ultimate] Felix E. Klee (YubiKey) <yubikey at>
    sub   rsa4096 2023-06-29 [E]
          Keygrip = 07D6164F019D2EDF59C650992CF93776B2DD17F2
    sub   rsa4096 2023-11-22 [A]
          Keygrip = 9C67E5BBB72EF0BF2625792F8F134CE4FD961FF5

I don’t remember adding this, but I guess I did, maybe some months ago.
Anyhow, now I removed `Use-for-ssh` from that key.

I then added the keygrip of the authentication key to
`~/.gnupg/sshcontrol`. However, that doesn’t work:

    $ ssh-add -l
    The agent has no identities.

Only if I add the key grip of the master key to `~/.gnupg/sshcontrol`,
then `ssh-add -l` is happy. But this seems wrong.

I notice that the private key stub of the authentication sub key isn’t
present in `~/.gnupg/private-keys-v1.d`:

    $ ls -1 ~/.gnupg/private-keys-v1.d/

*How do I generate the private key stub for the authentication sub key?*

`gpg --card-status` doesn’t do it.

More information about the Gnupg-users mailing list