GnuPG's SSH agent does not work when using SSH host certificates in GnuPG 2.4.8
Damien Goutte-Gattat
dgouttegattat at incenp.org
Sun Nov 30 18:21:55 CET 2025
On Sunday, 30 November 2025 12:15:28 GMT Jay Kayes via Gnupg-users wrote:
> The error I get on connection:
> ssh jay at testserver
> sign_and_send_pubkey: signing failed for ED25519
> "cardno:0000_12345678" from agent: agent refused operation
Looks like the same problem I once had with 2.4.x (and still have on another machine that is still running 2.4.x). If so, a workaround is to add the following option to your ~/.ssh/config file:
PubkeyAuthentication unbound
(It can be set either globally, or in the section for the host(s) where SSH host certificates are used.)
My understanding (which may or may not be correct) is that the host-bound authentication protocol extension (which the option above will disable) is only useful when agent forwarding is used; when not using agent forwarding, disabling this extension should not have any security impact.
> I did not notice any relevant changes listed in the release notes, but
> something has clearly been fixed in the 2.5 series.
I think it might be the fix to https://dev.gnupg.org/T7436, which landed in 2.5.2.
Best,
- Damien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 265 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251130/705aed07/attachment-0001.sig>
More information about the Gnupg-users
mailing list