1

When a gpg smartcard (e.g. yubikey) is inserted and contains an authentication key, the key is automatically enrolled by the gpg-agent. That means the key is usable for any ssh operation without needing to add its keygrip inside the file ~/.gnupg/sshcontrol.

Source: Agent-Configuration documentation (look after the last line of text inside the sshcontrol paragraph)

On a specific computer I would like to disable this default behavior without disabling other features provided by the smartcard. I was hoping to be able to disable the authentication key by prepending a '!' to its keygrip inside the sshcontrol file as described into the Agent-Configuration documentation (look after the before last line of text inside the sshcontrol paragraph) e.g:

!BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 0

But it does not work. With BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB being the keygrip of the authentication key.

Not related to disabling a key, I also tried to enable the confirm flag for the authentication key coming from the smartcard:

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 0 confirm

And it does not work either. I am really wondering if the gpg-agent reads the sshcontrol information for smartcard keys.

Settings of my infrastructure:

  • GnuPG version 2.2.12
  • only RSA 4096 bits keys
Improve this question
2
  • Have you tried reloading GPG agent ie: gpg-connect-agent reloadagent /bye ? See: wiki.archlinux.org/index.php/GnuPG#Reload_the_agent Commented Apr 2, 2020 at 13:51
  • I've just tried to be sure. Still the same behavior. In any other cases, gpg-agent reads sshcontrol file again at every ssh query it receives, it would have be strange to need to restart it to take sshcontrol changes into account. Commented Apr 2, 2020 at 14:03

1 Answer 1

Reset to default
0

I'm late to the party but in 2024 this is still not working. No matter what you do, the key from the yubikey is added to the ssh agent and takes priority on any other key.

There is however a workaround by using a ssh config file and using two different hostnames for connection.

In the ~/.ssh/config file, you can specify a public key in the IdentiyFile property. By pointing on a file containing the appropriate public key, you force the usage of the correspoding private key in the agent. You need to add IdentitiesOnly yes to the connection.

So first you create two files with the public keys:

# ssh-add -L returns all the keys in ssh public key format > grep ssh-add -L | grep cardno > ~/.ssh/a.pub # Yubikey public key > grep ssh-add -L | grep '<b unique identifier>' ~/.ssh/b.pub # Other key

And then the SSH configuration:

Host a.github.com IdentityFile ~/.ssh/a.pub IdentitiesOnly yes Hostname github.com User git Host b.github.com IdentityFile ~/.ssh/b.pub IdentitiesOnly yes Hostname github.com User git

Now the two identities work:

> ssh [email protected] PTY allocation request failed on channel 0 Hi <firstuser>! You've successfully authenticated, but GitHub does not provide shell access. Connection to github.com closed. > ssh [email protected] PTY allocation request failed on channel 0 Hi <seconduser>! You've successfully authenticated, but GitHub does not provide shell access. Connection to github.com closed.

And you can clone private repositories for each account.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.