Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent
On Wed, 28 Feb 2018 15:02, w...@gnupg.org said: > Oh no, I don't want to promote create solutions of our complex API ;-) s/create/creative/ -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpGzDg0TYmpd.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent
On Wed, Feb 28, 2018 at 03:02:58PM +0100, Werner Koch wrote: > On Wed, 21 Feb 2018 07:27, b...@adversary.org said: > > >> No, there is no way to configure an extra hack to also test a passphrase > >> for an ssh key. > > > > Wanna bet? > > Oh no, I don't want to promote create solutions of our complex API ;-) Heheh. I have a friend who frequently used to say that if a question began with "Would it be wrong to ..." then the answer was always "No." I think it was about the point where I asked, "Would it be wrong to release freshwater crocodiles just a little upstream of [local picnic area where children feed ducks and geese] just in time for the summer holidays?" that he gave up. Regards, Ben signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent
On Wed, 21 Feb 2018 07:27, b...@adversary.org said: >> No, there is no way to configure an extra hack to also test a passphrase >> for an ssh key. > > Wanna bet? Oh no, I don't want to promote create solutions of our complex API ;-) Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpVkKk4I36Jd.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent
On Tue, Feb 13, 2018 at 04:55:19PM +0100, Werner Koch wrote: > On Tue, 13 Feb 2018 15:03, ambre...@gmail.com said: > > > Thanks for the detailed answer. But why not doing it for SSH then? > > I like to see when an ssh key is used the first time. Note that the > maximum caching time for ssh keys can be configured independent from the > caching time of other keys. Probably wise. > > Just because it's less common? Would there be any way to configure this? > > No, there is no way to configure an extra hack to also test a passphrase > for an ssh key. Wanna bet? I thought of one way, but really is a hack and it's predicated on the standard key access being invoked first. If SSH always comes first then it won't work. Regards, Ben signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent
On Tue, 13 Feb 2018 15:03, ambre...@gmail.com said: > Thanks for the detailed answer. But why not doing it for SSH then? I like to see when an ssh key is used the first time. Note that the maximum caching time for ssh keys can be configured independent from the caching time of other keys. > Just because it's less common? Would there be any way to configure this? No, there is no way to configure an extra hack to also test a passphrase for an ssh key. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpqfBu0RjFgu.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent
Werner Koch writes: > You may now wonder why this does not happen when you decrypt a mail, > reply to it and sign the reply. Two subkeys (or the primary and the > encryption subkey) are involved in this workflow. Because this is so > common, gpg-agent knows about it and tries the last passphrase used for > any of the the subkeys of a key. It does not do this for an > authentication subkey, though. Thus you have to enter it again for ssh. Thanks for the detailed answer. But why not doing it for SSH then? Just because it's less common? Would there be any way to configure this? -- Pierre Neidhardt War spares not the brave, but the cowardly. -- Anacreon signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent
On Fri, 9 Feb 2018 14:25, ambre...@gmail.com said: > this time the SSH key is obviously encrypted with the same passphrase as > my GPG key, since it's part of it. Any clue why gpg-agent keeps asking? gpg (or correct gpg-agent) can't know which passphrase is used for each key or subkey. Passphrases are cached on a per subkey base and thus you will see a passphrase query for each new subkey. You may now wonder why this does not happen when you decrypt a mail, reply to it and sign the reply. Two subkeys (or the primary and the encryption subkey) are involved in this workflow. Because this is so common, gpg-agent knows about it and tries the last passphrase used for any of the the subkeys of a key. It does not do this for an authentication subkey, though. Thus you have to enter it again for ssh. Note that we can't do trial decryption using several remembered passphrases because that would take noticeably long for the user. For security reasons each passphrase decryption takes about 100ms. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgp1kKEb4AY2L.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users