I’m using Gpg4win 3.0.0 and PuTTY 0.7.
I have a problem authenticating in SSH by using both a SSH key and a GPG key from a smartcard.
Here is an example:
I have 2 servers: server1.com, server2.com.
I have a regular pair of SSH keys (generated with PuTTYgen), with the public key installed on server1.com and server2.com.
I also have a GPG key with auth capabilities.
It is stored in a smartcard (a Yubikey 4) and the corresponding SSH public key is installed on server2.com only.
Before connecting to my servers, I start gpg-agent:
"C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe" /bye.
My gpg-agent.conf has the line
Then, I had my regular SSH key to the agent:
"C:\Program Files\PuTTY\pageant.exe" "path\to\my\private\key.ppk".
When connecting to server1.com, PuTTY/plink use my SSH key from the agent and it works.
When connecting to server2.com, PuTTY/plink finds out that my private key is the GPG auth key on my smartcard; I’m asked to plug it in and to enter my user pin; and it works.
But if I can’t plug it in and want to use my regular SSH key instead (which is also configured to work with server2.com), it doesn’t uses it and just fails because the first private key was not found.
Here is the full log:
# plink email@example.com -v Connecting to xxx.xxx.xxx.xxx port 22 We claim version: SSH-2.0-PuTTY_Release_0.70 Server version: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 Using SSH protocol version 2 Server supports delayed compression; will try this later Doing ECDH key exchange with curve Curve25519 and hash SHA-256 Server also has ssh-dss host key, but we don't know it Host key fingerprint is: ecdsa-sha2-nistp256 256 ########### a fingerprint ########### Initialised AES-256 SDCTR client->server encryption Initialised HMAC-SHA-256 client->server MAC algorithm Initialised AES-256 SDCTR server->client encryption Initialised HMAC-SHA-256 server->client MAC algorithm Pageant is running. Requesting keys. Pageant has 2 SSH-2 keys Using username "user". Trying Pageant key #0 Authenticating with public key "(none)" from agent # I'm asked by pinentry to connect my smartcard, but I click on Cancel Pageant failed to answer challenge FATAL ERROR: Pageant failed to answer challenge
If I explicitly give the private key to plink, it works:
plink firstname.lastname@example.org -v -i "path\to\my\private\key.ppk".
But I don’t always have the opportunity to control the parameters given to plink.
For example, I use Git 2.14.2 for Windows (from https://git-scm.com/) configured to use plink; when pulling from a remote using SSH, I have exactly the same problem I just explained.
Do you know if there is a way to make plink/pagent/gpg-agent to use my regular SSH key if the other one fails?
(Or anything that could improve my setup.)