3

I have GPG set up to talk to SSH (with --enable-ssh-support). I have two keys: say 0x1234 and 0xABCD. Both keys have the following subkeys:

  • a signing key
  • an encryption key
  • an authentication key

Therefore, I have two different public keys when I run ssh-add -L with 0x1234 first followed by 0xABCD (I think this order is defined by whichever key was last added). It all works nicely.

I need two different keys because I have some servers that accept only one of the two keys. However, I also have servers that accept both keys (Github, for example). I would prefer to use 0xABCD over 0x1234 even though both will be accepted. However, SSH will always choose the first accepted key, so 0x1234 is preferred over 0xABCD all the time in such servers.

I imagine this has to be changed in the GPG side of things because it's gpg-agent that's returning the keys in this order.

Is there any way I can force the order of keys reported?

adtac
  • 131
  • 3

1 Answers1

3

I had the same question and edited ~/.gnupg/sshcontrol to reorder the entries.

# List of allowed ssh keys.  Only keys present in this file are used
# in the SSH protocol.  The ssh-add tool may add new entries to this
# file to enable them; you may also add them manually.  Comment
# lines, like this one, as well as empty lines are ignored.  Lines do
# have a certain length limit but this is not serious limitation as
# the format of the entries is fixed and checked by gpg-agent. A
# non-comment line starts with optional white spaces, followed by the
# keygrip of the key given as 40 hex digits, optionally followed by a
# caching TTL in seconds, and another optional field for arbitrary
# flags.   Prepend the keygrip with an '!' mark to disable it.

# Ed25519 key added on: 2019-01-01 07:08:09
# Fingerprints:  MD5:93:75:54:e3:58:91:6c:7e:25:8f:f4:dd:98:81:8d:1a
#                SHA256:RP+Mcdf4WsZeBkfrdumZmUBlt7bPSkENyVgFpxs276o
B0651F46AEC857C8C842231E74C71A03622DBCD1 0
# ... more entries

Keys are used in the order they appear in this file. You can use ssh-add -l to show the sha256 hashes for the keys you were looking at via ssh-add -L.

Jed
  • 131
  • 4