Page MenuHome GnuPG

gpg-agent doesn't accept ssh certificates
Open, NormalPublic

Description

gpg-agent doesn't implement PROTOCOL.certkeys, latest version at
(http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.9&content-type=text/plain)
and added in OpenSSH 5.4.

After getting the public key signed, ssh-add will report SSH_AGENT_FAILURE when
handling the certificate. Makes it impossible to use OpenPGP keys for SSH
authentication on hosts that use signed keys.

Details

Version
2.1

Event Timeline

Isn't it possisble to convert it to standard ssh format and use that with ssh-add?

I am currently lacking the time to add this to gpg-agent.

ssh-add only looks for private key information. If there is a id_rsa-cert.pub file it
will add the certificate, but one cannot add a certificate alone.

There are a couple of problems:

  1. gpg-agent doesn't recognize the cert type (ssh-rsa-cert-v01@openssh.com, etc.) so if

it is added via agent forwarding it fails.

  1. If the private key is on a card, then there is no private key file for ssh-add to

use. Some cards allow certificates to be stored on the card, and it looks from the
source to scdaemon that there is a way to read it and return it to the agent.

I could give this a try: in the case of #2, do you think it would be a reasonable
addition to gpg-agent's protocol to look for ~/.ssh/id_{rsa,dsa,ecdsa}-cert.pub when
handling a card-based private key? The cert is public info so only better portability
is gained by storing it on the card.

re 1) ssh-rsa-cert-v01@openssh.com is the certifiate as used by sshd/ssh. The
agent protocols however uses an ssh-rsa-cert-v00@openssh.com format to send the
private key to the agent. We should be easy to support this if it is sufficient
to just get the private key from the ssh-rsa-cert-v00.

re 2) I need to look close on how this is handled by the ssh-agent protocol.

gpg-agent should not look for an ssh file directly because its API is based on
the ssh-agent protocol. Thus a modified ssh is required. I noticed an
ssh-agent object related to card - this needs futher investigations.

FYI.

https://lists.gnupg.org/pipermail/gnupg-devel/2016-August/031479.html
^-- In this experiment, I tried another half of supporting OpenSSH certificates.

I found that it doesn't work as I had thought.

I think that the lower level support of gpg-agent is ready to add this feature
of accepting OpenSSH certificates, but modification of OpenSSH will be required
too, so that it works well.

Currently, the OpenSSH certificate file itself is still needed even if ssh-agent
supports OpenSSH certificates. When it returns a certificate to ssh client, ssh
client only uses the information of the key in the certificate. It is the file
which ssh client uses communicating to the server.

This comment was removed by jordan.

I am wondering if there is any workaround or work in progress about this old ticket.
I understand this is kind of an edge case, but having the possibility to use signed ssh keys would be very useful to me.

I understand this is kind of an edge case, but having the possibility to use signed ssh keys would be very useful to me.

??? Do you understand how ssh keys are handled by ssh client and ssh-agent?
SSH certificate (signed key) works well with ssh-agent (and ssh-agent emulation of gpg-agent).

The discussion of this ticket is: SSH certificate itself is not under control of ssh-agent (yet), and it would be good if it could be so.

I understand this is kind of an edge case, but having the possibility to use signed ssh keys would be very useful to me.

??? Do you understand how ssh keys are handled by ssh client and ssh-agent?

There's no need to be rude, sorry for my misunderstanding

I'm sorry, if my wording sounded harsh.

FWIW, I'm describing current situation adding more info.

  • You can just use OpenSSH's certificate authentication with ssh-agent emulation of gpg-agent (if things are all good).
  • When using ssh-add, please specify '-k' option because sending certificate to ssh-agent makes no sence (as of OpenSSH 8.1, still)
    • gpg-agent would be improved (in future) to accept certificate (so that user can forget about -k option). <-- This is the point of original report (at the time of OpenSSH 5.4), even though the data of certificate is no use
  • Unfortunately for now, authentication protocol with certificate may be considered not that mature (still), and some card/token can't handle it correctly. See: T5041: gpg-agent/scdaemon/gnuk unable to sign ssh certificate (Couldn't certify key … via agent: agent refused operation)
  • In the past (see above messages), we investigated technical possibility to move certificate handling of ssh client to ssh-agent. It is possible, when requested after ssh client change in future. <-- But this would be not good idea to put many features to ssh-agent/gpg-agent. Instead, keeping it small and restricting it only for private-key things is much better.

In other words, please use '-k' option of ssh-add, if ssh client still fails (because of the size) consider about changing certificate authentication protocol so that signing data size will be fixed size.

Update:
It looks like OpenSSH version 8 now supports ssh-agent's handling REQUEST_IDENTITIES.

Even so, we can use -k option of ssh-add and -i option of ssh.
It's not clear if adding the feature to gpg-agent is worth.

See: https://lists.gnupg.org/pipermail/gnupg-devel/2021-April/034845.html