When a gpg smartcard (e.g. yubikey) is inserted and contains an authentication key, the key is automatically enrolled by the gpg-agent. That means the key is usable for any ssh operation without needing to add its keygrip inside the file ~/.gnupg/sshcontrol.
Source: Agent-Configuration documentation (look after the last line of text inside the sshcontrol paragraph)
On a specific computer I would like to disable this default behavior without disabling other features provided by the smartcard. I was hoping to be able to disable the authentication key by prepending a '!' to its keygrip inside the sshcontrol file as described into the Agent-Configuration documentation (look after the before last line of text inside the sshcontrol paragraph) e.g:
!BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 0
But it does not work. With BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB being the keygrip of the authentication key.
Not related to disabling a key, I also tried to enable the confirm flag for the authentication key coming from the smartcard:
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 0 confirm
And it does not work either. I am really wondering if the gpg-agent reads the sshcontrol information for smartcard keys.
Settings of my infrastructure:
- GnuPG version 2.2.12
- only RSA 4096 bits keys
0 Answers