I’m using Yubikeys for SSH authorization, and as you probably know it can work in PGP or PIV mode. Although, I don’t quite like certain things about PIV mode, so I’m typically using it in a PGP mode, and thus I’m using gpg-agent as ssh-agent.
But in some rare occasions I’m using key backed up by file, and when such key is
loaded GPG offers you to save it in the gpg storage and sometimes you might need
to remove this key :). As you can imagine, normal
ssh-add -d isn’t working in
such cases (because key is copied), although you still could remove it,
and here is how:
$ ssh-add -E sha256 -l 4096 SHA256:bASbtisrybuSCmISZESeaK9Q+OuR/6ZnMpaSA/U8Ux4 firstname.lastname@example.org (RSA)
Now let’s connect to GPG agent:
$ gpg-connect-agent > KEYINFO --ssh-list --ssh-fpr=sha256 S KEYINFO 03FC8FB70D51BB603EC1DCD5435B913261FF472C D - - - P SHA256:bASbtisrybuSCmISZESeaK9Q+OuR/6ZnMpaSA/U8Ux4 - S OK > DELETE_KEY 03FC8FB70D51BB603EC1DCD5435B913261FF472C OK > /bye
So here, I matched key by the SHA256 fingerprint. Also, when you are using
gpg-connect-agent you can use
help <COMMAND> commands, for
> help KEYINFO # KEYINFO [--[ssh-]list] [--data] [--ssh-fpr[=algo]] [--with-ssh] <keygrip> # # Return information about the key specified by the KEYGRIP. If the # key is not available GPG_ERR_NOT_FOUND is returned. If the option # --list is given the keygrip is ignored and information about all # available keys are returned. If --ssh-list is given information # about all keys listed in the sshcontrol are returned. With --with-ssh # information from sshcontrol is always added to the info. Unless --data # is given, the information is returned as a status line using the format:
I originally found it in gpg mail list and ended up using few times and each time I had to search it, so decided to make this post as memo for me.