2 files changed, 20 insertions, 6 deletions

diff --git a/agent/command-ssh.c b/agent/command-ssh.c
index b41177be6..51111a60d 100644
--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@@ -2648,7 +2648,8 @@ ssh_send_available_keys (ctrl_t ctrl, estream_t key_blobs, u32 *r_key_counter)
 
       /* Clamp LNR value and set the ordinal.
        * Current use of ordinals:
-       *      1..99999  - inserted cards (right now only 1)
+       *      1..999    - low value Use-for-ssh.
+       *   1000..99999  - inserted cards (right now only 1000)
        * 100000..199999 - listed in sshcontrol
        * 200000..299999 - order taken from Use-for-ssh
        */
@@ -2678,18 +2679,25 @@ ssh_send_available_keys (ctrl_t ctrl, estream_t key_blobs, u32 *r_key_counter)
            * order of card keys (which are sorted by their s/n), we
            * would need to get the use-for-ssh: value from the stub
            * file and set an appropriate ordinal.  */
-          order = 1;
+          order = 1000;
         }
       else if (is_ssh)
         err = agent_public_key_from_file (ctrl, grip, &key_public);
       else /* Examine the file if it's suitable for SSH.  */
         {
           err = agent_ssh_key_from_file (ctrl, grip, &key_public, &order);
-          if (order < 0 || err)
+          if (err)
             order = 0;
+          else if (order < 0)
+            {
+              order = -order;
+              if (order > 999)
+                order = 999;
+            }
           else if (order > 99999)
-            order = 99999;
-          order += 200000;
+            order =  299999;
+          else
+            order += 200000;
         }
       if (err)
         {
diff --git a/agent/keyformat.txt b/agent/keyformat.txt
index bbcaa7e2c..fbe999ca1 100644
--- a/agent/keyformat.txt
+++ b/agent/keyformat.txt
@@ -124,7 +124,13 @@ gpg-agent's ssh-agent implementation.  This is thus the same as
 putting the keygrip into the 'sshcontrol' file.  Only one such item
 should exist.  If another non-zero value between 1 and 99999 is used,
 this is taken to establish the order in which the keys are returned to
-ssh; lower numbers are returned first.
+ssh; lower numbers are returned first.  If a negative value is used
+this overrides currently active (inserted) cards and thus allows to
+prefer on-disk keys over inserted cards.  A value of -1 has the
+highest priority; values are capped at -999 and have a lower priority
+but still above the positive values, inserted cards or the order in
+sshcontrol.
+
 
 *** Use-for-p11
 If given and the value is "yes" or "1" the key is allowed for use by