From 98b8c518fa0be65bac90e2d47388d0914f98c50f Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 18 Apr 2023 09:04:27 +0200 Subject: ssh: Allow to prefer on-disk keys over active card keys. * agent/command-ssh.c (ssh_send_available_keys): Redefine the order of keys. -- GnuPG-bug-id: 6212 --- doc/gpg-agent.texi | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) (limited to 'doc/gpg-agent.texi') diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index c8080c7c2..902de56f4 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -675,6 +675,39 @@ and allows the use of gpg-agent with the ssh implementation @command{putty}. This is similar to the regular ssh-agent support but makes use of Windows message queue as required by @command{putty}. + +The order in which keys are presented to ssh are: +@table @code + +@item Negative Use-for-ssh values + If a key file has the attribute "Use-for-ssh" and its value is + negative, these keys are presented first to ssh. The negative + values are capped at -999 with -999 beeing lower ranked than -1. + These values can be used to prefer on-disk keys over keys taken + from active cards. + +@item Active cards + Active cards (inserted into a card reader or plugged in tokens) + are always tried; they are ordered by their serial numbers. + +@item Keys listed in the sshcontrol file + Non-disabled keys from the sshcontrol file are presented in the + order they appear in this file. Note that the sshcontrol file + is deprecated. + +@item Positive Use-for-ssh values + If a key file has the attribute "Use-for-ssh" and its value is + "yes", "true", or any positive number the key is presented in + the order of their values. "yes" and "true" have a value of 1; + other values are capped at 99999. + +@end table + +Editing the "Use-for-ssh" values can be done with an editor or using +@command{gpg-connect-agent} and "KEYATTR" (Remember to append a colon +to the key; i.e. use "Use-for-ssh:"). + + @anchor{option --ssh-fingerprint-digest} @item --ssh-fingerprint-digest @opindex ssh-fingerprint-digest @@ -827,6 +860,9 @@ This file is used when support for the secure shell agent protocol has been enabled (@pxref{option --enable-ssh-support}). Only keys present in this file are used in the SSH protocol. You should backup this file. +This file is deprecated in favor of the "Use-for-ssh" attribute in the +key files. + The @command{ssh-add} tool may be used to add new entries to this file; you may also add them manually. Comment lines, indicated by a leading hash mark, as well as empty lines are ignored. An entry starts with @@ -872,7 +908,6 @@ users start up with a working configuration. For existing users the a small helper script is provided to create these files (@pxref{addgnupghome}). - @c @c Agent Signals @c -- cgit v1.2.3