On 23/08/16 10:46, Karol Babioch wrote: > However, it is annoying to be prompted for passphrases for each key in > the keyring. This is even true for cases in which the public key of my > smartcard is the first and only entry in authorized_keys on a SSH server.
Hmmmmm. I use both a smartcard and an encrypted on-disk key, and am never prompted for a passphrase for a key that isn't listed in authorized_keys. You can see a lot of the detail with: $ ssh -vvv user@host I can see how the client considers keys, offers them, and only when the server indicates acceptance will it access the private key and prompt for a passphrase. See here how it first asks the server whether it would accept the key the agent identifies by "/home/peter/.ssh/id_rsa", and the server declines (that's not very explicit in the messages). I'm not prompted for the passphrase for that key. The client then offers my smartcard, and the server accepts. Only then am I prompted for the PIN. --------------------8<----------------->8-------------------- [...] debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/peter/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey debug1: Offering RSA public key: cardno:000500000241 debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp 27:f1:31:87:c8:05:5e:30:32:04:61:83:af:f5:8d:a1 debug3: sign_and_send_pubkey: RSA 27:f1:31:87:c8:05:5e:30:32:04:61:83:af:f5:8d:a1 [...] --------------------8<----------------->8-------------------- Are both the server and the client in your case OpenSSH? Do you have non-standard options set relating to auth perhaps? HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users