On Fri, Jan 15, 2016 at 10:29:13AM +0100, Simon Josefsson wrote: > Glenn Rempe <gl...@rempe.us> writes: > > > I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey to > > manage my gpg private keys and I am using that key for SSH auth. I have it > > all up and running but I ran into some issues as well so I wrote up a blog > > post. I'd appreciate any suggestions for improvement and especially for > > any ideas for a better fix for the workaround I had to do that I documented > > at the end of the post. Maybe this will be of some use to those wanting to > > use the latest gpg for SSH auth on a Mac with a Yubikey. > > > > https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/ > > Have you tried killing/restarting scdaemon only, not gpg-agent? > > Try: > > gpgconf --reload scdaemon > > or > > gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
I am on OS X, and just so you know I have turned off the OS X system scdaemon per this blog post (I did this before upgrading to GnuPG 2.1): https://gpgtools.tenderapp.com/discussions/problems/28634-gpg-agent-stops-working-after-osx-upgrade-to-yosemite#comment_35808149 So I am using just the scdaemon embedded with GPG I believe. I just tried your suggestion to reload the internal scdaemon with 'gpgconf --reload scdaemon' and that also worked just as well as killing gpg-agent, and probably without some side effects, none of which I've noticed yet. So that is a step in the right direction, but I still have to run it every time I remove/reinsert the card and SSH to a remote host or it fails with a 'Permission denied (publickey)' error. So this seems like a step in the right direction, but I still have to use ControlPlane to restart scdaemon on insert/remove events. > > Why do you add the keygrip to the sshcontrol file? I have never needed > that step. For me it uses the right key directly. Is it because you > have another (revoked) A subkey? It sounds somewhat of sub-optimal > behaviour for gpg-agent's SSH support to use a revoked key instead of > the non-revoked key. I do have a revoked Authentication sub-key on my primary key, but I no longer use it and that is also not why I added the keygrip entry to sshcontrol file. I added it at the suggestion of Werner in this post: https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html And these blog posts: http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key Is this suggestion outdated? > > /Simon -- Glenn Rempe email : gl...@rempe.us voice : (415) 613-1653 twitter : @grempe gpg key id : 0xA4A288A3BECCAE17 gpg fingerprint : 497A 6138 963D 6C47 202B 238B A4A2 88A3 BECC AE17 _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users