SSH CA + gpg-agent + gnuk => error
NIIBE Yutaka
gniibe at fsij.org
Fri Oct 18 13:50:21 CEST 2019
Brennecke, Simon wrote:
> I have a question regarding the interaction of SSH with gpg-agent
> (and possibly also gnuk).
[...]
> So I generated a new ECC key in gnuk, imported the public keys in gpg.
> Added the keygrip everything to "~/.gnupg/sshcontrol"
Just FYI, for smartcard, adding a keygrip in sshcontrol is not needed,
if it is OK for your gpg-agent to just fail for signing request when
smartcard is not available.
> "ssh-add -L" shows me the key.
> I signed it with the CA.
> ssh tries to use the key...
> ... and this is where the error pops up.
>
> ssh tells me:
> sign_and_send_pubkey: signing failed: agent refused operation
>
> and gpg-agent tells me:
> gpg-agent[21629]: ssh request handler for sign_request (13) started
> gpg-agent[21629]: DBG: detected card with S/N D276000124010200FFFE430322340000
> gpg-agent[21629]: smartcard signing failed: General error
> gpg-agent[21629]: ssh sign request failed: General error <GPG Agent>
I don't think it is related to OpenSSH certificate. For some reason,
possibly a bug, smartcard singing failed. You can configure
.gnupg/scdaemon.conf with something like:
====================
debug-level guru
debug-all
verbose
log-file /run/user/1000/scd.log
====================
to see what's going on.
* * *
Here is another information, related.
OpenSSH certificate authentication doesn't work well with gpg-agent
(yet). Ideally, OpenSSH certificate should be under control of
gpg-agent.
For detail, you can see:
https://dev.gnupg.org/T1756
https://lists.gnupg.org/pipermail/gnupg-devel/2016-August/031479.html
Protocol-wise, for gpg-agent, it is expected that the ssh does:
* ssh askes ssh-agent (in our case, gpg-agent) to get OpenSSH
certificate by REQUEST_IDENTITIES command
* (only after) REQUEST_IDENTITIES command, ssh askes ssh-agent
challenge-response by SIGN_REQUEST command
But the first part does not occur by current OpenSSH client. The client
by itself answers back to the server using the certificate on disk
(under .ssh/), without asking ssh-agent.
--
More information about the Gnupg-users
mailing list