On Wed, 18 Jul 2018 06:37, [email protected] said: > Practically, this means that once a key is added to gpg-agent it's unclear > as to how to remove it. ssh-add -d/-D doesn't work, and you can't simply > remove keys from ~/.ssh/ and restart the agent as gpg-agent's not referring
Right, gpg-agent takes a copy of the files from .ssh/ and you can even delete the private keys files in .ssh after that. If you don't do this you have two protected (i.e. encrypted) copies of the private keys on your disk. Now ssh-add -D when used with OpenSSH's ssh-agent does not delete the key it merely removes it from ssh-agent's cache. The private key is still on the disk. So the question is not how often you do "ssh-add -D" but how often do you rm ~/.ssh/a-private-key ? > up the keygrip for the desired key in sshcontrol, then remove it from there > as well as rm the matching file in private-keys-v1.d/ ? Is there anything You only need to remove it from private-keys-v1.d; ssh-control only enables a key for use in the ssh-agent protocol. This way you can decide which of your keys (even OpenPGP keys) can be used for ssh. In any case I would suggest to get rid of on-disk keys and use a smartcard for ssh keys. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
pgp1paj2DboLB.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
