Mailing List Archive

gpg-agent ssh key order in version 2.3.7
Hello,

I have a question regarding the gpg-agent changes in 2.3.7.

I have the following setup:
- gpg-agent configured as ssh-agent, with
- 1 auth subkey, protected by a passphrase
- 1 auth subkey stored on a yubikey.

Prior to upgrading to gnupg 2.3.7, gpg would prompt me for the yubikey
pincode and use it if it was inserted, and for the passphrase otherwise.

Starting with 2.3.8, it always asks for the passphrase. Hitting 'cancel'
makes it try the yubikey, but this happens again on the next invocation.

Looking at the code changes, it looks like the ordering from the sshcontrol
file is no longer used. I see that I can use "Prompt: no" to ignore the
yubikey if it is not inserted, but can't figure out how to make it try the
yubikey before the password-protected key.

How can I best restore the old behavior?

Thanks!
Yorick
Re: gpg-agent ssh key order in version 2.3.7 [ In reply to ]
On Fri, 20 Jan 2023 15:07, Yorick van Pelt said:

> yubikey if it is not inserted, but can't figure out how to make it try the
> yubikey before the password-protected key.
>
> How can I best restore the old behavior?

Unfortunately there is no way to do this right now. The tentative plan
is to assign a priority based on the line number to the sshcontrol
listed keys. Also we can set a priority to Use-for-ssh: flagged key
files.

See https://dev.gnupg.org/T6212

I guess it can make it into 2.4.1


Shalom-Salam,

Werner


--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein