Page MenuHome GnuPG
Create Task
Maniphest T1293

gpg-agent: failure to add new SSH keys in 2.0.16
Closed, ResolvedPublic
Actions

Description

Hello,
several months ago we were hitting an issue in Arch Linux where SSH keys would
somehow be corrupted on import. It was supposed to be fixed in v2.0.15:
http://lists.gnupg.org/pipermail/gnupg-users/2010-January/038045.html

I am now running v2.0.16 and had a new key to import. Which I utterly failed to
do. I am using ssh-agent emulation, and I am trying to add a new 4096 RSA key.

ssh-add ~/.ssh/id_rsa_hostname prompts for a passphrase, then the PIN entry
dialog appears and asks for a passphrase *once*. After that I try to login to a
system and after a while it asks for my passphrase. Here is a part of the log
when trying to connect:

2010-10-23 04:48:43 gpg-agent[1045] ssh handler 0x8843468 for fd 8 started
2010-10-23 04:48:43 gpg-agent[1045] received ssh request of length 1
2010-10-23 04:48:43 gpg-agent[1045] ssh request handler for request_identities
(11) started
2010-10-23 04:48:43 gpg-agent[1045] error getting default authentication keyID
of card: Not supported
2010-10-23 04:48:43 gpg-agent[1045] ssh request handler for request_identities
(11) ready
2010-10-23 04:48:43 gpg-agent[1045] sending ssh response of length 1143
2010-10-23 04:48:43 gpg-agent[1045] received ssh request of length 1165
2010-10-23 04:48:43 gpg-agent[1045] ssh request handler for sign_request (13)
started
2010-10-23 04:48:43 gpg-agent[1045] DBG: agent_get_cache
`1936C6CF51F9DB5F3A13C39B0296C37151505F1F'...
2010-10-23 04:48:44 gpg-agent[1045] ssh request handler for sign_request (13) ready
2010-10-23 04:48:44 gpg-agent[1045] sending ssh response of length 532

At this point I cut out the key from ~/.gnupg/sshcontrol and remove it from
private-keys-v1.d/ then I do another ssh-add. This time PIN entry dialog
appears *twice*, first time and then again for verification. However after
pressing return on the verification dialog gpg-agent crashes. With only this in
the logs:

2010-10-23 04:45:34 gpg-agent[854] Ohhhh jeeee: ... this is a bug
(sexp.c:1811:_gcry_sexp_sprint)

Details

Version
2.0.18

Event Timeline

anrxc set Version to 2.0.16.Oct 23 2010, 5:09 AM
anrxc added projects: gnupg, Bug Report.
anrxc added a subscriber: anrxc.
werner added a subscriber: werner.Oct 25 2010, 4:45 PM

What version of libgcrypt are you using (gpg-agent --version)?

anrxc added a comment.Oct 26 2010, 11:45 PM

Hello,
libgcrypt 1.4.6

anrxc added a comment.Jan 19 2011, 7:46 PM

Hello,
I have been checking on the status of this bug report once a week. Unfortunately
no progress was reported.

I have made the following upgrades last night:
upgraded gnupg2 (2.0.16-3 -> 2.0.17-1)
upgraded pinentry (0.8.0-2 -> 0.8.1-1)

... libgcrypt stayed the same version. And I can report that I was able to add
my key properly this time. I was asked for the passphrase, then GPG agent asked
for a passphrase through the PIN entry dialog. On next login attempt the agent
was properly passing on the key.

werner added a comment.Jan 20 2011, 3:47 PM

While working on a different part of the code, I found a bug in a function also
used by the ssh code. You may want to apply this patch:

  • a/common/estream.c

+++ b/common/estream.c
@@ -641,7 +641,7 @@ es_func_mem_write (void *cookie, const void *buffer, size_t
size)

if (!mem_cookie->memory_size)
  newsize = size;  /* Not yet allocated.  */
else
  • newsize = mem_cookie->memory_size + (nleft - size);

+ newsize = mem_cookie->memory_size + (size - nleft);

if (newsize < mem_cookie->offset)
  {
    _set_errno (EINVAL);
anrxc changed Version from 2.0.16 to 2.0.17.Jun 7 2011, 2:30 AM

Hi,
I just created 10 new keys, and only one was added correctly to the agent. I
enountered a variety of bad behaviour.

Several keys were added "succesfully" but would not work on logins.

Several refused inclusion altogether.

Several would ask me for a passphrase numerous times while displaying "(-6500320
try of 1)" or something along those lines.
Several poped up with a progressbar that was verifying the strenght of my key,
and of course never done anything remotely useful with it.

I'll try your patch. Maybe I can get another key in the agent.

anrxc added a comment.Jun 7 2011, 2:46 AM

Patch resolved nothing.

Here's what I'm doing:

$ ssh-keygen -t rsa -b 4096
$ ssh-add ~/.ssh/id_rsa_keyname
Passphrase: ab087gHjUo0

PIN entry pops up I enter the same passphrase, or anything else... and then
repeated PIN entry pops up with text:

Invalid characters in PIN (try -5000010607 of 1)
Passphrase:

anrxc added a comment.Oct 23 2011, 3:38 AM

Now problem got even worse. My 2.0.18 agent can not unlock my old SSH keys, nor
can it add new SSH keys.

ssh server

Agent admitted failure to sign using the key.

ssh-add ~/.ssh/id_rsa_newkey

Enter passphrase for /home/anrxc/.ssh/id_rsa_newkey:
SSH_AGENT_FAILURE
Could not add identity: /home/anrxc/.ssh/id_rsa_newkey

Even if I get this fixed will I get this fixed:
Invalid characters in PIN (try -5000010607 of 1)?

I don't think so. I am running into this kind of problems for over a year.

anrxc changed Version from 2.0.17 to 2.0.18.Oct 23 2011, 3:38 AM
werner closed this task as Resolved.Jul 1 2013, 9:05 PM
werner claimed this task.
werner added a project: Too Old.