Using a GnuPG crypted RSA key for SSH

Matthias Apitz guru at
Fri May 3 10:38:41 CEST 2024

El día jueves, mayo 02, 2024 a las 07:46:33 +0200, Werner Koch via Gnupg-users escribió:

> On Thu,  2 May 2024 15:31, Matthias Apitz said:
> > which locks the card again. Any ideas?
> If you really want to reset the card after an operation _and_ you are
> using pcscd you can use
>   ...

Thanks for all the hints. The problem with this OpenPGP card in the
cellphone L5 is, that it is not an USB dongle which one could pull out
to invalidate the access to the keys. It sits inside the phone as a
Micro-SIM below the battery.

So I now do with ~/.ssh/config:

Host *
    # note: this needs in /etc/ssh/ssh_config:  PermitLocalCommand yes
    LocalCommand gpgconf --reload scdaemon

This resets the card right after the PIN was provided for the SSH
session. This works fine for ssh(1) command, but not for the scp(1)
command. Even when I say:

$ scp "-oPermitLocalCommand=yes" foo

The "ssh" launched by "scp" shows in strace that it is launched with
the valeu "-oPermitLocalCommand=no":

$ grep exec
10205 execve("/usr/bin/scp", ["scp", "-oPermitLocalCommand=yes", "foo", ""...], 0xffffdf2147a0 /* 32 vars */) = 0
10206 execve("/usr/bin/ssh", ["/usr/bin/ssh", "-x", "-oPermitLocalCommand=no", "-oClearAllForwardings=yes", "-oRemoteCommand=none", "-oRequestTTY=no", "-o", "PermitLocalCommand=yes", "-oForwardAgent=no", "-l", "XXXXXXXXXXXXXXXX", "--", "", "scp -t ."], 0xffffe38c6780 /* 32 vars */) = 0

To overcome this problem I use now a macro "scp" defined in ~/.bashrc

function scp {
   $(which scp) $@
   # lock the OpenPGP card again
   gpgconf --reload scdaemon



Matthias Apitz, ✉ guru at, +49-176-38902045
Public GnuPG key:

I am not at war with Russia.  Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.

More information about the Gnupg-users mailing list