On Wed, Nov 22, 2023 at 8:57 PM Werner Koch <w...@gnupg.org> wrote: > Here is the snippet from by ~/.bashrc
I have a similar config. Thank you for the detailed explanation! Only the following line does not work right after autologin (default with Ubuntu / WSL2), seems like something is not ready yet. gpg-connect-agent updatestartuptty /bye > What is in your ~/.gnupg/sshcontrol file? It’s empty, with only comments at the top. I left it that way, and proceeded as follows: > Instead of putting this into sshcontrol you may also put them into the > private-keys-v1.d/<KEYGRIP>.key file with a line: > > Use-for-ssh: yes I added that to 0E67508AC6866D82ABB95E0B53CF5D18DC48A786.key, which is my master key. But it still doesn’t work, see below. Should I add a file with the authentication key instead? > gpg --export-ssh-key > > Adds a comment with the keyid - is that one correct? Does it match what > you see with > > ssh-add -L Output: $ gpg -k --with-keygrip yubi...@f76.eu pub rsa4096 2023-06-29 [SC] 7A0FE73DDB744F0F97341DA71BE349D11B6ED589 Keygrip = 0E67508AC6866D82ABB95E0B53CF5D18DC48A786 uid [ultimate] Felix E. Klee (YubiKey) <yubi...@f76.eu> sub rsa4096 2023-06-29 [E] Keygrip = 07D6164F019D2EDF59C650992CF93776B2DD17F2 sub rsa4096 2023-11-22 [A] Keygrip = 9C67E5BBB72EF0BF2625792F8F134CE4FD961FF5 $ gpg --export-ssh-key yubi...@f76.eu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2 Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4 ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== openpgp:0x877CC64B $ ssh-add -L ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpsX4nQnLh3SJDdIDkdX0DFY4c2uFu 6QJRPrXyub32Ae5SX+3rQnhj/7U8PGFG5LbRT8NVHMyxmoXAHda3wZ1Za3mTC8oWUPSz dIlSgB7HrVNvmP0fvk0b1V9BOkBJrV6RMMNLEssiD9PCiI95z1+uEbxr9tZAJO/lDYnU jhEK6PykBhQiJISHpWnWmE0qj+84wQ+/cEPJYnt4tgqLuFH+COFGBVuN6DDi6ubbDlCy 693UqQjWSNi1A34JmUKFOw5Kt0It3Qj3nNVdm8/hRiVZ84qPVbF1Vvp0gZ9k1sFg+3O9 LZYo0vZ73gLMx6AjO1A+Cqcef/e6O+aT+CVgINQ6oaDMyKtHkD7caflg8nPrmiVASxTe nn51W3Uiu1wksrtEH2HCUcLXpMWKNTjjwpUUTSmMy4m069K5SENsjzsMsHiN2cTxdNu5 CufP1Q3XtGI4VCdW5ql0vgZMCPHIuXHLyFpz9scc2I68B8YnoMzzH0CDyLpjudBRlup+ BZD1g2xlCWB9f+43Oy+Ibf5wAW8/gjk5ly6fhQwB712GTHXNKpPl2ymXgtP2v0K48TE7 OsIfR0sBk2LbwuXr2tLB1WYgrNYs8YY83u/HC6RWHskrcIRq75ahcdeTu8Ukdz1VhAdL sk25F529lMjW0CgshB9xvFxCwFzcGMmHniuMjoFN6Q== cardno:18 698 015 $ ssh-add -l 4096 SHA256:Pun8mwtl04HFOK8Z1LbCRZ/oQLgZDpkgNHU5/E1MM8I cardno:18 69 8 015 (RSA) As you see, the public keys are different. `ssh-add -L` does not add the key ID. So I’ve no idea what is going on. The key exported by `ssh-add -L` works. I get asked for the PIN, the Yubikey blinks, and then I’m in: $ ssh u...@example.com [user@example ~]$ The key exported by `gpg --export-ssh-key yubi...@f76.eu` does not work: $ ssh u...@example.com u...@example.com: Permission denied (publickey). As it works with the key exported with `ssh-add -L`, maybe I should not complain. However what confuses me is that the output of `ssh-add -L` does not change after I replaced the authentication subkey. Can you explain why the output of `ssh-add -L` did not change? Also why is it not the same as the output from `gpg --export-ssh-key yubi...@f76.eu`? (Background: I replaced the authentication subkey because the first time I added it, I forgot to make a backup of the updated secret key.) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users