Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[the2nd]

I just want to point out that one may want to add the keygrip to the 
sshcontrol file along with the "confirm" option to get asked by pinentry 
each time ssh requests gpg-agent to sign an ssh challenge (e.g. a ssh 
login). This is at least a useful option if you login to a remote host 
with agent forwarding enabled. I know that there are more secure 
alternatives to agent forwarding but i guess it is still used because of 
its simplicity. I also use it from time to time *shame*


But thats the only reason in know why one would add it to sshcontrol.

Regards
the2nd

On 2016-01-16 00:47, Glenn Rempe wrote:

Thanks Peter, I was not aware of that (and it certainly explains the
double entry in ssh-add -l.

btw, Werner was not writing that response to me. It was just pointed
out to me, so yes it was
probably not smart card specific I would guess. I'll update the blog
post to reflect that we
probably do not need to modify sshcontrol for use with Yubikey.

Back to the main issue I am having. I followed the instructions to
output a verbose scdaemon log
which I was exercising this issue.  Here is a gist with the commands
I was running and the resulting
logfile.

https://gist.github.com/grempe/e143796b8f399f5fa391 [5]

Perhaps NIIBE Yutaka or someone else more knowledgable than I can
take a look and 
get us closer to resolution. :-)

Thanks for everyone who is helping.

On Fri, Jan 15, 2016 at 3:08 PM Peter Lebbing
 wrote:


On 15/01/16 21:17, Glenn Rempe wrote:

I added it at the suggestion of Werner in this post:



https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
[1]


And these blog posts:
http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html

[2]



http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
[3]


Is this suggestion outdated?


No, but I'm fairly sure Werner did not realise you were using a
smartcard when
he wrote that. Obviously, I can't look into the man's mind, but
that's my guess.

For regular, on-disk keys, it is necessary to add the keygrip to
sshcontrol. For
smartcards, it's automatically added when the smartcard is
inserted. I guess it
fits with automatically added secret key stubs when the smartcard
is inserted
(to use a smartcard on a fresh PC, import your own public key,
insert your
smartcard, and you're done).

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at




Links:
--
[1] https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
[2] http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
[3] http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
[4] http://digitalbrains.com/2012/openpgp-key-peter
[5] https://gist.github.com/grempe/e143796b8f399f5fa391

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[Glenn Rempe]

Thanks Peter, I was not aware of that (and it certainly explains the double
entry in ssh-add -l.

btw, Werner was not writing that response to me. It was just pointed out to
me, so yes it was
probably not smart card specific I would guess. I'll update the blog post
to reflect that we
probably do not need to modify sshcontrol for use with Yubikey.

Back to the main issue I am having. I followed the instructions to output a
verbose scdaemon log
which I was exercising this issue.  Here is a gist with the commands I was
running and the resulting
logfile.

https://gist.github.com/grempe/e143796b8f399f5fa391

Perhaps NIIBE Yutaka or someone else more knowledgable than I can take a
look and
get us closer to resolution. :-)

Thanks for everyone who is helping.


On Fri, Jan 15, 2016 at 3:08 PM Peter Lebbing 
wrote:

> On 15/01/16 21:17, Glenn Rempe wrote:
> > I added it at the suggestion of Werner in this post:
> >
> > https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> >
> > And these blog posts:
> > http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> > http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
> >
> > Is this suggestion outdated?
>
> No, but I'm fairly sure Werner did not realise you were using a smartcard
> when
> he wrote that. Obviously, I can't look into the man's mind, but that's my
> guess.
>
> For regular, on-disk keys, it is necessary to add the keygrip to
> sshcontrol. For
> smartcards, it's automatically added when the smartcard is inserted. I
> guess it
> fits with automatically added secret key stubs when the smartcard is
> inserted
> (to use a smartcard on a fresh PC, import your own public key, insert your
> smartcard, and you're done).
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[Peter Lebbing]

On 15/01/16 21:17, Glenn Rempe wrote:
> I added it at the suggestion of Werner in this post:
> 
> https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> 
> And these blog posts:
> http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
> 
> Is this suggestion outdated?

No, but I'm fairly sure Werner did not realise you were using a smartcard when
he wrote that. Obviously, I can't look into the man's mind, but that's my guess.

For regular, on-disk keys, it is necessary to add the keygrip to sshcontrol. For
smartcards, it's automatically added when the smartcard is inserted. I guess it
fits with automatically added secret key stubs when the smartcard is inserted
(to use a smartcard on a fresh PC, import your own public key, insert your
smartcard, and you're done).

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: basic identity mgmt

[Andrew Gallagher]

On 15/01/16 21:02, Doug Barton wrote:

> On 01/15/2016 12:21 PM, Andrew Gallagher wrote:
> |  I've
> | worked on several projects for more than one financial institution,
> | and airgaps like this are considered barely sufficient for some
> | important keys. (Of course in such projects the idea of a
> | certification subkey not on the airgapped machine would be
> | completely unacceptable...)
> 
> That's interesting, and you have made me curious ... what's the threat
> model? And what is that key certifying?

Most relevant example, a system where users can register their
authorisation keys against a semi-automated authority which signs them
for trust by a third system. The root key that certifies the automated
authority keys is offline. Essentially a private root CA.

Now, this example is using x509 rather than pgp, but the threat model is
the same. Bad guys hack into the system, they can fake a trust
relationship, which in turn compromises a different system.

To put this into PGP terms, say Lachlann were Stallman (ok, I'm
stretching a bit!). Then say someone wants to impersonate Linus. If they
could root RMS's laptop they could certify a key in Linus's name and
many people would say "RMS is paranoid, so it really must be Linus!".
;-) But if RMS keeps his certification key offline, the best the hackers
can do is impersonate him - until he notices of course, at which point
he can roll his subkeys and draw a line under the incident.

Of course if a C-capable subkey were to exist, Linus would lose the
benefit of the airgap. RMS would still be able to roll his subkeys, but
that would also revoke all the trust relationships that depended on the
C-subkey. So both of them are worse off.

A



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[Glenn Rempe]

I'm not sure when the use of sshcontrol emerged. My impression was that it
is only used as part of GnuPG 'Modern' 2.1.x versions. That being said, If
I remove the keygrip entry from the sshcontrol file it appears to work
fine.  The only difference I've just noticed is in the output of 'ssh-add
-l':

with keygrip in sshcontrol:
~/.gnupg$ ssh-add -l
error fetching identities for protocol 1: agent refused operation
2048 SHA256:X3YiWulZ1xJlqGRFqeaQOmLuZvyfJV/r7Qwo/kmUgCg cardio:000MYCARDNUM
(RSA)
2048 SHA256:X3YiWulZ1xJlqGRFqeaQOmLuZvyfJV/r7Qwo/kmUgCg (none) (RSA)

without key grip in sshcontrol:
~/.gnupg$ ssh-add -l
error fetching identities for protocol 1: agent refused operation
2048 SHA256:X3YiWulZ1xJlqGRFqeaQOmLuZvyfJV/r7Qwo/kmUgCg cardno:000MYCARDNUM
(RSA)

Any ideas for also eliminating that error message, or understanding why its
there are appreciated.

As for the suggestion by the2nd at otpme.org regarding the scdaemon bug.
This sounded promising, but when I investigated a bit it seems that the
commit in that thread that indicated this issue might be fixed on master
(f42c50dbf00c2e6298ca6830cbe6d36805fa54a3) was committed on Dec 2, 2015,
and gnupg version 2.1.10 was tagged on Dec 4, 2015.  So that fix should
already be in the version of GnuPG I am using (2.1.10) and yet I am still
seeing a problem.

/tmp/gnupg (master ✔)$ git log f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
commit f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
Author: NIIBE Yutaka 
Date:   Thu Dec 3 11:26:24 2015 +0900

scd: Fix "Conflicting usage" bug.

* scd/apdu.c (apdu_close_reader): Call CLOSE_READER method even if we
  got an error from apdu_disconnect.
* scd/app-common.h (no_reuse): Remove.
* scd/app.c (application_notify_card_reset): Deallocate APP here.
(select_application, release_application): Don't use NO_REUSE.

--

Reproducible scenario: Invoke gpg --card-edit session from a terminal.
Invoke another gpg --card-edit session from another.  Remove a token.
Insert a token again.  Type RET on both terminals.  One of terminal
answers "Conflicting usage".

Perhaps, having NO_REUSE field was to avoid race conditions.  Now,
APP can be safely deallocated by application_notify_card_reset.

Thanks to the2nd.

I installed 2.1.10 from this homebrew recipe:

https://github.com/Homebrew/homebrew-versions/blob/master/gnupg21.rb

My SSH client is the one that comes with OS X 'El Capitan':

/tmp/gnupg (master ✔)$ ssh -V
OpenSSH_6.9p1, LibreSSL 2.1.8




On Fri, Jan 15, 2016 at 12:31 PM Simon Josefsson 
wrote:

> > > Why do you add the keygrip to the sshcontrol file?  I have never
> > > needed that step.  For me it uses the right key directly.  Is it
> > > because you have another (revoked) A subkey?  It sounds somewhat of
> > > sub-optimal behaviour for gpg-agent's SSH support to use a revoked
> > > key instead of the non-revoked key.
> >
> > I do have a revoked Authentication sub-key on my primary key, but I
> > no longer use it and that is also not why I added the keygrip entry to
> > sshcontrol file.  I added it at the suggestion of Werner in this post:
> >
> > https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> >
> > And these blog posts:
> > http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> > http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
> >
> > Is this suggestion outdated?
>
> I don't recall ever using it, and I've been using SSH with smartcards
> through gpg-agent for over 10 years.  What happens if you drop that
> part?  For me it has always selected the right subkey automatically.
>
> /Simon
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[Glenn Rempe]

On Fri, Jan 15, 2016 at 10:29:13AM +0100, Simon Josefsson wrote:
> Glenn Rempe  writes:
> 
> > I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey to
> > manage my gpg private keys and I am using that key for SSH auth.  I have it
> > all up and running but I ran into some issues as well so I wrote up a blog
> > post.  I'd appreciate any suggestions for improvement and especially for
> > any ideas for a better fix for the workaround I had to do that I documented
> > at the end of the post.  Maybe this will be of some use to those wanting to
> > use the latest gpg for SSH auth on a Mac with a Yubikey.
> >
> > https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/
> 
> Have you tried killing/restarting scdaemon only, not gpg-agent?
> 
> Try:
> 
> gpgconf --reload scdaemon
> 
> or
> 
> gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye

I am on OS X, and just so you know I have turned off the OS X system
scdaemon per this blog post (I did this before upgrading to GnuPG 2.1):

https://gpgtools.tenderapp.com/discussions/problems/28634-gpg-agent-stops-working-after-osx-upgrade-to-yosemite#comment_35808149

So I am using just the scdaemon embedded with GPG I believe.

I just tried your suggestion to reload the internal scdaemon with
'gpgconf --reload scdaemon' and that also worked just as well as killing
gpg-agent, and probably without some side effects, none of which I've
noticed yet. So that is a step in the right direction, but I still have to
run it every time I remove/reinsert the card and SSH to a remote host
or it fails with a 'Permission denied (publickey)' error. So this seems
like a step in the right direction, but I still have to use ControlPlane
to restart scdaemon on insert/remove events.

> 
> Why do you add the keygrip to the sshcontrol file?  I have never needed
> that step.  For me it uses the right key directly.  Is it because you
> have another (revoked) A subkey?  It sounds somewhat of sub-optimal
> behaviour for gpg-agent's SSH support to use a revoked key instead of
> the non-revoked key.

I do have a revoked Authentication sub-key on my primary key, but I
no longer use it and that is also not why I added the keygrip entry to
sshcontrol file.  I added it at the suggestion of Werner in this post:

https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html

And these blog posts:
http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key

Is this suggestion outdated?

> 
> /Simon



-- 
Glenn Rempe

email : gl...@rempe.us
voice : (415) 613-1653
twitter   : @grempe
gpg key id: 0xA4A288A3BECCAE17
gpg fingerprint   : 497A 6138 963D 6C47 202B  238B A4A2 88A3 BECC AE17


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: basic identity mgmt

[Doug Barton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/15/2016 12:21 PM, Andrew Gallagher wrote:
| On 15/01/16 19:33, Doug Barton wrote:

|> This is a good example of why that method of working with your
|> keys is pointlessly complicated. :)
|
| It's complicated, but not necessarily _pointlessly_ so. Depending
| on circumstances it could be considered minimally prudent. I've
| worked on several projects for more than one financial institution,
| and airgaps like this are considered barely sufficient for some
| important keys. (Of course in such projects the idea of a
| certification subkey not on the airgapped machine would be
| completely unacceptable...)

That's interesting, and you have made me curious ... what's the threat
model? And what is that key certifying?

Doug

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJWmV5bAAoJEFzGhvEaGryE0DUH/ikPiqoloNaGaKLbhffEdbOy
Vwu/AmBIzqAgG9PRrOMQs0YVu0m+i5LaQiJ+ofiL/6ohWQWk2T5jny4mL+n2I/BP
Mposz7GYQcTHM0+4Dn7CTuEkGow0afOCqFte1FTibGb8amDquExn9EpfvBJeTde3
+Tfkh8HJFgWj/Kc1dxz4QR9bt7M5Z++XdstjOBE4vkJHsnbb8RsPMO6ammS5Vncf
EHJpmwNjz67p5dWyi2DsHA5q7epW02tpqqwQCpRbZzf2Qd/t6k9glGuk3kZMkI6T
x57YyOCO4J8skDQbffmqk0u7vb5Ogt4CdcyM8NKRZVo+DRV/pojt3tDuwXiX//E=
=Y3Xu
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[Simon Josefsson]

> > Why do you add the keygrip to the sshcontrol file?  I have never
> > needed that step.  For me it uses the right key directly.  Is it
> > because you have another (revoked) A subkey?  It sounds somewhat of
> > sub-optimal behaviour for gpg-agent's SSH support to use a revoked
> > key instead of the non-revoked key.
> 
> I do have a revoked Authentication sub-key on my primary key, but I
> no longer use it and that is also not why I added the keygrip entry to
> sshcontrol file.  I added it at the suggestion of Werner in this post:
> 
> https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> 
> And these blog posts:
> http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
> 
> Is this suggestion outdated?

I don't recall ever using it, and I've been using SSH with smartcards
through gpg-agent for over 10 years.  What happens if you drop that
part?  For me it has always selected the right subkey automatically.

/Simon


pgpfOOtgB7R5k.pgp
Description: OpenPGP digital signatur
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: basic identity mgmt

[Andrew Gallagher]

On 15/01/16 19:33, Doug Barton wrote:
> On 01/11/2016 08:35 AM, Lachlan Gunn wrote:
>> For me it's problematic
>> because my certification key is on an offline machine, so it's
>> inconvenient to have to power it up and do a round-trip through the
>> airgap when I'm not going to propagate the signature anyway.  It's not a
>> dealbreaker but it's still a bit irritating.
> 
> This is a good example of why that method of working with your keys is
> pointlessly complicated. :)

It's complicated, but not necessarily _pointlessly_ so. Depending on
circumstances it could be considered minimally prudent. I've worked on
several projects for more than one financial institution, and airgaps
like this are considered barely sufficient for some important keys. (Of
course in such projects the idea of a certification subkey not on the
airgapped machine would be completely unacceptable...)

A



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: basic identity mgmt

[Doug Barton]

On 01/11/2016 08:35 AM, Lachlan Gunn wrote:


You've already received good answers on your questions, so some
questions for you. :)  What is your concern about signing the key?
And are you aware that local signatures will not be communicated
beyond your keyring?


I actually ran into this issue the other day.  For me it's problematic
because my certification key is on an offline machine, so it's
inconvenient to have to power it up and do a round-trip through the
airgap when I'm not going to propagate the signature anyway.  It's not a
dealbreaker but it's still a bit irritating.


This is a good example of why that method of working with your keys is 
pointlessly complicated. :)


Doug


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: basic identity mgmt

[Doug Barton]

On 01/14/2016 11:35 AM, Wendy Oberg wrote:

From: "Doug Barton" [dougb@dougbarton.email]

What is your concern about signing the key?


Not so much a concern.  But I might want to make use of the predicate
"key X is valid" without having to sign anything, and without even having a
key.


You still haven't answered the "Why?" question. I'm not trying to badger 
you, I'm trying to find out if there is a use case that we're missing here.



Sounds like the "--tofu-policy good ..." in recent versions, as suggested
by Damien, may do the trick for this.


Unless I'm missing something that's not different in any material way 
from '--trust-model always'.



And  are you aware that local signatures will not be communicated beyond your
keyring?


Yes, thanks, W.


Ok, so why is that not the right solution for you?

Doug


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key selection order

[Doug Barton]

On 01/14/2016 01:41 PM, NdK wrote:

Il 14/01/2016 21:06, Andrew Gallagher ha scritto:


>Tofu does not guarantee identity persistence. Just because your correspondence 
hasn't been obviously tampered with (yet) does not mean that someone hasn't been 
MITMing you all along and biding their time.

As usual, it depends on your attack scenario.
If I have 10-years-old mails from someone I've never met, and all use
the same key, I can assume that either 1) that identity belongs to the
same person or 2) that an attacker MITMed*all*  my connections (from
every device I've had wherever I was and to every service I used).
Occam's razor and my "exposure profile" make me think it's 1):)


There are several more possible scenarios. The most plausible of which 
would be 3) Your correspondent is being coerced, and 4) Your 
correspondent has lost control of the key, and the new correspondent is 
skilled at mimicking the "real" one. Of course neither of those 
scenarios is defensible with either key verification strategy.



In other words,*time*  can be considered an 'out of band' channel.


It really can't ... if anything time increases the likelihood that the 
original key holder has lost control of the key.


Doug

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[the2nd]

You might hit this bug: 
http://lists.gnupg.org/pipermail/gnupg-users/2015-December/054756.html


On 2016-01-15 01:08, Glenn Rempe wrote:

I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey
to manage my gpg private keys and I am using that key for SSH auth. 
I have it all up and running but I ran into some issues as well so I
wrote up a blog post.  I'd appreciate any suggestions for improvement
and especially for any ideas for a better fix for the workaround I had
to do that I documented at the end of the post.  Maybe this will be
of some use to those wanting to use the latest gpg for SSH auth on a
Mac with a Yubikey.

https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/ [1]

Here is a discussion thread that describes *exactly* the issue I am
still having (if I don't use my workaround to kill and restart
gpg-agent on every yubikey insertion and deletion):

https://lists.gnupg.org/pipermail/gnupg-users/2015-June/053796.html
[2]

Glenn



Links:
--
[1] https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/
[2] https://lists.gnupg.org/pipermail/gnupg-users/2015-June/053796.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key selection order

[Peter Lebbing]

On 15/01/16 00:12, Andrew Gallagher wrote:
> No, because mitm doesn't mean one identity replaces another, but that the two
> identities become conflated.

Ah, we are ascribing different attributes to an "identity".

I think you mean an identity belongs to a specific person, an individual. If you
MITM, there are two people, so two identities.

I describe an "identity" as "this person who's been giving me good advice on
topic X for several months", for example.

Note that I cannot differentiate between someone who thought up the advice from
someone who is just forwarding someone else's advice.

If there's this individual A who has been giving me great advice, but all their
mails were MITM'ed such that individual B put their signature under it, B could
at any moment abuse this trust that A built and give me horrible advice that
results in something that is useful for B.

But the same could happen with A! I know the guy/girl only from their e-mails.
For all I know, A is biding their time to eventually screw me over. And they
could be asking someone else and only writing down their advice.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[Simon Josefsson]

Glenn Rempe  writes:

> I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey to
> manage my gpg private keys and I am using that key for SSH auth.  I have it
> all up and running but I ran into some issues as well so I wrote up a blog
> post.  I'd appreciate any suggestions for improvement and especially for
> any ideas for a better fix for the workaround I had to do that I documented
> at the end of the post.  Maybe this will be of some use to those wanting to
> use the latest gpg for SSH auth on a Mac with a Yubikey.
>
> https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/

Have you tried killing/restarting scdaemon only, not gpg-agent?

Try:

gpgconf --reload scdaemon

or

gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye

Why do you add the keygrip to the sshcontrol file?  I have never needed
that step.  For me it uses the right key directly.  Is it because you
have another (revoked) A subkey?  It sounds somewhat of sub-optimal
behaviour for gpg-agent's SSH support to use a revoked key instead of
the non-revoked key.

/Simon


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users