I’m using Yubikeys for SSH authorization, and as you probably know they can work in PGP or PIV mode. Although I don’t quite like certain things about PIV mode, so I’m typically using it in a PGP mode, and thus I’m using gpg-agent as my ssh-agent.
But on some rare occasions I’m using a key backed up by a file, and when such key is
loaded, GPG offers you to save it in the gpg storage and time to time you might need
to remove this key 😀. As you can imagine, normal ssh-add -d isn’t working in
such cases, because the key is already copied. Although you still can remove it,
and here is how:
$ ssh-add -E sha256 -l
4096 SHA256:bASbtisrybuSCmISZESeaK9Q+OuR/6ZnMpaSA/U8Ux4 slava@slava-ws.local (RSA)
Now let’s connect to GPG agent:
$ gpg-connect-agent
> KEYINFO --ssh-list --ssh-fpr=sha256
S KEYINFO 03FC8FB70D51BB603EC1DCD5435B913261FF472C D - - - P SHA256:bASbtisrybuSCmISZESeaK9Q+OuR/6ZnMpaSA/U8Ux4 - S
OK
> DELETE_KEY 03FC8FB70D51BB603EC1DCD5435B913261FF472C
OK
> /bye
So here, I matched the key by the SHA256 fingerprint. Also, when you are using
gpg-connect-agent you can use help and help <COMMAND> commands.
For example:
> help KEYINFO
# KEYINFO [--[ssh-]list] [--data] [--ssh-fpr[=algo]] [--with-ssh] <keygrip>
#
# Return information about the key specified by the KEYGRIP. If the
# key is not available GPG_ERR_NOT_FOUND is returned. If the option
# --list is given the keygrip is ignored and information about all
# available keys are returned. If --ssh-list is given information
# about all keys listed in the sshcontrol are returned. With --with-ssh
# information from sshcontrol is always added to the info. Unless --data
# is given, the information is returned as a status line using the format:
I originally found it in gpg mail list and ended up using few times, and each time I had to search for it, so I decided to make this post as memo for me.