Hello, Horst Skatmus wrote: > The only problem I have is that the gpg-agent always checks for the > smartcard even when keys are not stored on a smartcard.
When gpg-agent works as ssh-agent, it always checks (possible) authentication key on smartcard, so that the authenticaiton key (when available) can be used. Specifically, SSH client askes ssh-agent about available keys by REQUEST_IDENTITIES command. When gpg-agent (as ssh-agent) gets REQUEST_IDENTITIES command, it checks scdaemon about possible authentication keys. Let's call those key(s) "active smartcard key(s)". There are also keys recorded under ~/.gnupg/private-keys-v1.d/. Let's call those keys "recorded keys". Those "recorded keys" can be private keys on disk, or keys on smartcard (reference to smartcard, not private key secret). For response to REQUEST_IDENTITIES command, gpg-agent answers SSH "active smartcard key(s)" + "recorded keys". (Here, "recorded keys" may include "active smartcard key(s)".) After that, SSH server + client negotiate about keys and select a key. Then, SSH client asks gpg-agent (as ssh-agent) a challenge-response authentication by signing with SIGN_REQUEST command. > I can switch off the scdaemon via --disable-scdaemon but this has no > effect. With --disable-scdaemon, gpg-agent should stop accessing scdaemon. Do you reload setting (gpgconf --reload gpg-agent) after changing your gpg-agent.conf? -- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
