sshd authentication problem with gpg-agent and OpenPGP card
Joerg Schmitz-Linneweber
joerg at schmitz-linneweber.de
Tue Dec 5 10:15:16 CET 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all!
I recently found a problem when using OpenPGP cards with gpg-agent in
combination with ssh/sshd.
Technical details follows:
- --- snip -----------------------
> gpg-agent --version
gpg-agent (GnuPG) 2.0.0
- --- snip -----------------------
> rpm -qf `which ssh-add`
openssh-3.9p1-12.10
- --- snip -----------------------
> ssh-add -l
1024 fingerprint_in_hex cardno:my_card_no (RSA)
1024 fingerprint_in_hex ~/id_dsa (DSA)
1024 fingerprint_in_hex ~/other_id_dsa (DSA)
1024 fingerprint_in_hex ~/other2_id_dsa (DSA)
- --- snip -----------------------
(on the remote machine)
# rpm -qf `which sshd`
openssh-3.9p1-12.10
- --- snip -----------------------
OK. Connecting to the remote via:
> ssh -vvvvi ~/.ssh/id_dsa remote_host
works perfectly (no card involved)
but:
> ssh -vvvv remote_host
tries to use the card and results in:
- --- snip -----------------------
debug2: key: cardno:my_card (0x8095498)
debug2: key: ~/.ssh/id_dsa (0x80999b0)
debug2: key: ~/.ssh/other_id_dsa (0x8098d98)
debug2: key: ~/.ssh/other2_id_dsa (0x8098d98)
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: cardno:my_card_no
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
Connection closed by remote_host
- --- snip -----------------------
and the log on the remote machine explains this abrupt connection loss:
- --- snip -----------------------
Dec 5 09:47:19 floyd sshd[4666]: fatal: buffer_get_bignum2: negative
numbers not supported
Dec 5 09:55:13 floyd sshd[4893]: fatal: buffer_get_bignum2: negative
numbers not supported
- --- snip -----------------------
The last snippet shows whats going on in gpg-agent:
- --- snip -----------------------
[client at fd 4 connected]
4 - 2006-12-05 10:10:37 gpg-agent[10191]: SSH-Handhabungsroutine
0x80858b8 für fd 7 gestartet
4 - 2006-12-05 10:10:37 gpg-agent[10191]: ssh request handler for
request_identities (11) started
4 - 2006-12-05 10:10:37 gpg-agent[10191]: new connection to SCdaemon
established (reusing)
[client at fd 5 connected]
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR $AUTHKEYID
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S $AUTHKEYID OPENPGP.3
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR SERIALNO
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S SERIALNO
my_serial_info
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- READKEY OPENPGP.3
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> [
xx xx...(all bytes skipped) ]
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR $DISPSERIALNO
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S $DISPSERIALNO
the_displayable_serialno
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK
4 - 2006-12-05 10:10:37 gpg-agent[10191]: ssh request handler for
request_identities (11) ready
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- RESTART
5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK
4 - 2006-12-05 10:10:37 gpg-agent[10191]: SSH-Handhabungsroutine
0x80858b8 für fd 7 beendet
- --- snip -----------------------
So gpg-agent in conjunction with this ssh version might deliver invalid
data to the waiting ssh daemon. I found nothing particular on the
mentioned bignum package in sshd though... :-(
Anybody knows whats going on with OpenPGP card authentication? Werner? :-)
Salut, Jörg
- --
gpg/pgp key # 0xd7fa4512
fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFFdTik/PQgU9f6RRIRArT4AJ4wXZaBiR8oZWhlvAcZXSOP8VdUcwCgzbs/
aUdw1ByhBJlE8e3C9KeiGsE=
=JwLw
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list