Using a GnuPG crypted RSA key for SSH

Werner Koch wk at
Thu May 2 19:46:33 CEST 2024

On Thu,  2 May 2024 15:31, Matthias Apitz said:

> which locks the card again. Any ideas?

If you really want to reset the card after an operation _and_ you are
using pcscd you can use

  gpg-connect-agent 'scd disconnect' /bye

But killing scdaemon is probably the easier and more reliable way:

  gpgconf -K scdaemon

does this by sending the kill command

  gpg-connect-agent 'scd killscd' /bye

Some card applications require a VERIFY command (i.e. asking for the
PIN) for each operation.  An OpenPGP card does this only for the signing
key and only if that feature has been enabled (force command of
--card-edit).  Remember that there is no PIN cache[1] but the card
application tales the descision when and how often a PIN is required
after power up (of the card).

If you only want to be asked whether the ssh-key shall be used, you can
put a line

  Confirm: yes

into the private-keys-v1.d/<keygrip>.key file of the AUTH (shadow-)key:

  *** Confirm
  If given and the value is "yes", a user will be asked confirmation by
  a dialog window when the key is about to be used for
  PKSIGN/PKAUTH/PKDECRYPT operation.  If the value is "restricted", it
  is only asked for the access through extra/browser socket.



[1] Actually there is a PIN cache to allow a Yubikey to switch between
the OpenPGP and PIV appications back anf forth without requiring a PIN
after each switch.  A sample use-case is sending PGP signed mails and
also using a browser or IMAP server with user certificate based

The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list