Hi!
I’m using Gpg4win 3.0.0 and PuTTY 0.7.
I have a problem authenticating in SSH by using both a SSH key and a GPG key from a smartcard.
Here is an example:
I have 2 servers: server1.com, server2.com.
I have a regular pair of SSH keys (generated with PuTTYgen), with the public key installed on server1.com and server2.com.
I also have a GPG key with auth capabilities.
It is stored in a smartcard (a Yubikey 4) and the corresponding SSH public key is installed on server2.com only.
Before connecting to my servers, I start gpg-agent: "C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe" /bye.
My gpg-agent.conf has the line enable-putty-support.
Then, I had my regular SSH key to the agent: "C:\Program Files\PuTTY\pageant.exe" "path\to\my\private\key.ppk".
When connecting to server1.com, PuTTY/plink use my SSH key from the agent and it works.
When connecting to server2.com, PuTTY/plink finds out that my private key is the GPG auth key on my smartcard; I’m asked to plug it in and to enter my user pin; and it works.
But if I can’t plug it in and want to use my regular SSH key instead (which is also configured to work with server2.com), it doesn’t uses it and just fails because the first private key was not found.
Here is the full log:
# plink user@server2.com -v
Connecting to xxx.xxx.xxx.xxx port 22
We claim version: SSH-2.0-PuTTY_Release_0.70
Server version: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
Using SSH protocol version 2
Server supports delayed compression; will try this later
Doing ECDH key exchange with curve Curve25519 and hash SHA-256
Server also has ssh-dss host key, but we don't know it
Host key fingerprint is:
ecdsa-sha2-nistp256 256 ########### a fingerprint ###########
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Pageant is running. Requesting keys.
Pageant has 2 SSH-2 keys
Using username "user".
Trying Pageant key #0
Authenticating with public key "(none)" from agent
# I'm asked by pinentry to connect my smartcard, but I click on Cancel
Pageant failed to answer challenge
FATAL ERROR: Pageant failed to answer challenge
If I explicitly give the private key to plink, it works: plink user@server2.com -v -i "path\to\my\private\key.ppk".
But I don’t always have the opportunity to control the parameters given to plink.
For example, I use Git 2.14.2 for Windows (from https://git-scm.com/) configured to use plink; when pulling from a remote using SSH, I have exactly the same problem I just explained.
Do you know if there is a way to make plink/pagent/gpg-agent to use my regular SSH key if the other one fails?
(Or anything that could improve my setup.)