Mailing List Archive

gpg-agent only checks for smartcard not for local keys
I have installed GnuPG Windows on a Windows 10 machine and I'd like to use
it with Putty as key based ssh authentication together with a smartcard. I
got everything working fine.

The only problem I have is that the gpg-agent always checks for the
smartcard even when keys are not stored on a smartcard.



gpg-connect-agent "keyinfo --list" /bye



S KEYINFO 16F96695784023BBD32BE7D9F8320568156CB76A D - - - P - - -

S KEYINFO 3D3DE2508675ECE9856242056D8A5956E35B056E D - - - P - - -

S KEYINFO C8316A470CEB466B4565C55B7FB8A98BA10BB558 D - - - P - - -

S KEYINFO C9376FD06A963284ADC1EF46861EC611C5D780B7 D - - - P - - -



This shows that all keys are located on the disk (column with the "D") but
the gpg-agent log shows that the agent get a request from putty via the
"Pageant" options and he checks for a SC via the scdaemon.



2019-11-01 19:44:18 gpg-agent[6304] DBG: ssh map file
'PageantRequest00003d68'
2019-11-01 19:44:18 gpg-agent[6304] DBG: ssh map handle 0x00000338
2019-11-01 19:44:18 gpg-agent[6304] DBG: my sid:
'S-1-5-21-2710969852-3158981170-84828875-1001'
2019-11-01 19:44:18 gpg-agent[6304] DBG: ssh map file sid:
'S-1-5-21-2710969852-3158981170-84828875-1001'
2019-11-01 19:44:18 gpg-agent[6304] DBG: ssh IPC buffer at 0x00670000
2019-11-01 19:44:18 gpg-agent[6304] ssh request handler for
request_identities (11) started
2019-11-01 19:44:18 gpg-agent[6304] new connection to SCdaemon established
(reusing)
2019-11-01 19:44:18 gpg-agent[6304] DBG: chan_0x00000314 -> SERIALNO
2019-11-01 19:44:18 gpg-agent[6304] DBG: chan_0x00000314 <- ERR 100696144 No
such device <SCD>
2019-11-01 19:44:18 gpg-agent[6304] ssh request handler for
request_identities (11) ready
2019-11-01 19:44:18 gpg-agent[6304] DBG: chan_0x00000314 -> RESTART
2019-11-01 19:44:18 gpg-agent[6304] DBG: chan_0x00000314 <- OK



I do not understand how the gpg-agent determines where to look for the
private key (disk or smartcard) and where this is configured. I can switch
off the scdaemon via --disable-scdaemon but this has no effect.

When I copy the secret key to the smartcard via keytocard in gpg everything
works fine.
Re: gpg-agent only checks for smartcard not for local keys [ In reply to ]
Hello,

Horst Skatmus wrote:
> The only problem I have is that the gpg-agent always checks for the
> smartcard even when keys are not stored on a smartcard.

When gpg-agent works as ssh-agent, it always checks (possible)
authentication key on smartcard, so that the authenticaiton key (when
available) can be used.

Specifically, SSH client askes ssh-agent about available keys by
REQUEST_IDENTITIES command. When gpg-agent (as ssh-agent) gets
REQUEST_IDENTITIES command, it checks scdaemon about possible
authentication keys. Let's call those key(s) "active smartcard key(s)".
There are also keys recorded under ~/.gnupg/private-keys-v1.d/. Let's
call those keys "recorded keys". Those "recorded keys" can be private
keys on disk, or keys on smartcard (reference to smartcard, not private
key secret). For response to REQUEST_IDENTITIES command, gpg-agent
answers SSH "active smartcard key(s)" + "recorded keys".
(Here, "recorded keys" may include "active smartcard key(s)".)

After that, SSH server + client negotiate about keys and select a key.
Then, SSH client asks gpg-agent (as ssh-agent) a challenge-response
authentication by signing with SIGN_REQUEST command.


> I can switch off the scdaemon via --disable-scdaemon but this has no
> effect.

With --disable-scdaemon, gpg-agent should stop accessing scdaemon.
Do you reload setting (gpgconf --reload gpg-agent) after changing
your gpg-agent.conf?
--

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent only checks for smartcard not for local keys [ In reply to ]
On Sat, 2 Nov 2019 12:20, Horst Skatmus said:

> I do not understand how the gpg-agent determines where to look for the
> private key (disk or smartcard) and where this is configured. I can switch
> off the scdaemon via --disable-scdaemon but this has no effect.

At the time you use ssh-add (putty has a similar feature iirc) the key
is copied to GnuPG's private key store and added to the file sshcontrol
in GnuPG home directory ("gpgconf --list-dirs" shows this).

You can add the key also manuualy to the file. An entry there looks
like:

# Ed25519 key added on: 2016-11-29 10:28:00
# MD5 Fingerprint: b5:f9:23:5f:b2:8c:b2:58:7d:b3:1e:f4:7e:26:33:7c
1934563577D9EDA59D3CC74B0CF9C630EA3F302D 0

The header of the sshcontrol file has comments on the syntax.
In short you put the keygrip (as show in the KEYINFO lines or in
"gpg -k --with-keygrip") followed by the TTL for the cache
(0 for the default).

gpg-agend access the smartcard because the authenticstion key of an
inserted card is implicitly enabled for ssh. Which key this is depends
on the card and gpg-agent knows how to query this.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.