diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/gpg-agent.texi | 37 | ||||
| -rw-r--r-- | doc/gpg.texi | 11 |
2 files changed, 43 insertions, 5 deletions
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index c8080c7c2..902de56f4 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -675,6 +675,39 @@ and allows the use of gpg-agent with the ssh implementation @command{putty}. This is similar to the regular ssh-agent support but makes use of Windows message queue as required by @command{putty}. + +The order in which keys are presented to ssh are: +@table @code + +@item Negative Use-for-ssh values + If a key file has the attribute "Use-for-ssh" and its value is + negative, these keys are presented first to ssh. The negative + values are capped at -999 with -999 beeing lower ranked than -1. + These values can be used to prefer on-disk keys over keys taken + from active cards. + +@item Active cards + Active cards (inserted into a card reader or plugged in tokens) + are always tried; they are ordered by their serial numbers. + +@item Keys listed in the sshcontrol file + Non-disabled keys from the sshcontrol file are presented in the + order they appear in this file. Note that the sshcontrol file + is deprecated. + +@item Positive Use-for-ssh values + If a key file has the attribute "Use-for-ssh" and its value is + "yes", "true", or any positive number the key is presented in + the order of their values. "yes" and "true" have a value of 1; + other values are capped at 99999. + +@end table + +Editing the "Use-for-ssh" values can be done with an editor or using +@command{gpg-connect-agent} and "KEYATTR" (Remember to append a colon +to the key; i.e. use "Use-for-ssh:"). + + @anchor{option --ssh-fingerprint-digest} @item --ssh-fingerprint-digest @opindex ssh-fingerprint-digest @@ -827,6 +860,9 @@ This file is used when support for the secure shell agent protocol has been enabled (@pxref{option --enable-ssh-support}). Only keys present in this file are used in the SSH protocol. You should backup this file. +This file is deprecated in favor of the "Use-for-ssh" attribute in the +key files. + The @command{ssh-add} tool may be used to add new entries to this file; you may also add them manually. Comment lines, indicated by a leading hash mark, as well as empty lines are ignored. An entry starts with @@ -872,7 +908,6 @@ users start up with a working configuration. For existing users the a small helper script is provided to create these files (@pxref{addgnupghome}). - @c @c Agent Signals @c diff --git a/doc/gpg.texi b/doc/gpg.texi index eb7c35cac..9fdabc743 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -399,10 +399,13 @@ this command may change with new releases. @opindex edit-card @itemx --card-edit @opindex card-edit -Present a menu to work with a smartcard. The subcommand "help" provides -an overview on available commands. For a detailed description, please -see the Card HOWTO at -https://gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO . +Present a menu to work with a smartcard. The subcommand "help" +provides an overview on available commands. For a detailed +description, please see the Card HOWTO at +https://gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO . Please +note that the command "openpgp" can be used to switch to the OpenPGP +application of cards which by default are presenting another +application (e.g. PIV). @item --card-status @opindex card-status |