Using a regular SSH key & a GPG key on a Yubikey to auth on a server


I’m using Gpg4win 3.0.0 and PuTTY 0.7.
I have a problem authenticating in SSH by using both a SSH key and a GPG key from a smartcard.
Here is an example:

I have 2 servers:,
I have a regular pair of SSH keys (generated with PuTTYgen), with the public key installed on and
I also have a GPG key with auth capabilities.
It is stored in a smartcard (a Yubikey 4) and the corresponding SSH public key is installed on only.

Before connecting to my servers, I start gpg-agent: "C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe" /bye.
My gpg-agent.conf has the line enable-putty-support.
Then, I had my regular SSH key to the agent: "C:\Program Files\PuTTY\pageant.exe" "path\to\my\private\key.ppk".

When connecting to, PuTTY/plink use my SSH key from the agent and it works.
When connecting to, PuTTY/plink finds out that my private key is the GPG auth key on my smartcard; I’m asked to plug it in and to enter my user pin; and it works.
But if I can’t plug it in and want to use my regular SSH key instead (which is also configured to work with, it doesn’t uses it and just fails because the first private key was not found.
Here is the full log:

# plink -v
Connecting to port 22
We claim version: SSH-2.0-PuTTY_Release_0.70
Server version: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
Using SSH protocol version 2
Server supports delayed compression; will try this later
Doing ECDH key exchange with curve Curve25519 and hash SHA-256
Server also has ssh-dss host key, but we don't know it
Host key fingerprint is:
ecdsa-sha2-nistp256 256 ########### a fingerprint ###########
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Pageant is running. Requesting keys.
Pageant has 2 SSH-2 keys
Using username "user".
Trying Pageant key #0
Authenticating with public key "(none)" from agent
# I'm asked by pinentry to connect my smartcard, but I click on Cancel
Pageant failed to answer challenge
FATAL ERROR: Pageant failed to answer challenge

If I explicitly give the private key to plink, it works: plink -v -i "path\to\my\private\key.ppk".
But I don’t always have the opportunity to control the parameters given to plink.
For example, I use Git 2.14.2 for Windows (from configured to use plink; when pulling from a remote using SSH, I have exactly the same problem I just explained.

Do you know if there is a way to make plink/pagent/gpg-agent to use my regular SSH key if the other one fails?
(Or anything that could improve my setup.)

Hi David,

Unfortunately, this is a problem with PuTTY. I don’t think PuTTY has some kind of “fall back to”-Method, but you should be able to create a second configuration for the same server, that uses another strategy. Maybe that is a valid strategy for you.

Best wishes,