gpg-agent doesn't accept ssh certificates
Open, NormalPublic

Description

gpg-agent doesn't implement PROTOCOL.certkeys, latest version at
(http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.9&content-type=text/plain)
and added in OpenSSH 5.4.

After getting the public key signed, ssh-add will report SSH_AGENT_FAILURE when
handling the certificate. Makes it impossible to use OpenPGP keys for SSH
authentication on hosts that use signed keys.

Details

Version
2.1
jwilson set Version to 2.1.
jwilson added a subscriber: jwilson.
werner added a subscriber: werner.Nov 17 2014, 3:12 PM

Isn't it possisble to convert it to standard ssh format and use that with ssh-add?

I am currently lacking the time to add this to gpg-agent.

ssh-add only looks for private key information. If there is a id_rsa-cert.pub file it
will add the certificate, but one cannot add a certificate alone.

There are a couple of problems:

  1. gpg-agent doesn't recognize the cert type (ssh-rsa-cert-v01@openssh.com, etc.) so if

it is added via agent forwarding it fails.

  1. If the private key is on a card, then there is no private key file for ssh-add to

use. Some cards allow certificates to be stored on the card, and it looks from the
source to scdaemon that there is a way to read it and return it to the agent.

I could give this a try: in the case of #2, do you think it would be a reasonable
addition to gpg-agent's protocol to look for ~/.ssh/id_{rsa,dsa,ecdsa}-cert.pub when
handling a card-based private key? The cert is public info so only better portability
is gained by storing it on the card.

re 1) ssh-rsa-cert-v01@openssh.com is the certifiate as used by sshd/ssh. The
agent protocols however uses an ssh-rsa-cert-v00@openssh.com format to send the
private key to the agent. We should be easy to support this if it is sufficient
to just get the private key from the ssh-rsa-cert-v00.

re 2) I need to look close on how this is handled by the ssh-agent protocol.

gpg-agent should not look for an ssh file directly because its API is based on
the ssh-agent protocol. Thus a modified ssh is required. I noticed an
ssh-agent object related to card - this needs futher investigations.

gniibe added a subscriber: gniibe.Aug 16 2016, 2:41 AM

FYI.

https://lists.gnupg.org/pipermail/gnupg-devel/2016-August/031479.html
^-- In this experiment, I tried another half of supporting OpenSSH certificates.

I found that it doesn't work as I had thought.

I think that the lower level support of gpg-agent is ready to add this feature
of accepting OpenSSH certificates, but modification of OpenSSH will be required
too, so that it works well.

Currently, the OpenSSH certificate file itself is still needed even if ssh-agent
supports OpenSSH certificates. When it returns a certificate to ssh client, ssh
client only uses the information of the key in the certificate. It is the file
which ssh client uses communicating to the server.

jordan added a subscriber: jordan.Dec 4 2017, 5:17 PM
This comment was removed by jordan.
agy added a subscriber: agy.Jan 30 2018, 7:29 PM
SunMar added a subscriber: SunMar.Sep 26 2018, 12:34 PM