ssh Yubikey not recognized, but Yubikey works with GPG well
Open, Needs TriagePublic

Description

A master key with sub keys for signing, encryption and authentication were generated on a Yubikey. Signing and encryption of mails with cleopatra from a Yubikey works fine. However, the authentication key should be used for ssh authentication on a server. The gpg --export-ssh-key 0x....... was downloaded and the public key was set on the server. SSH authentication with that key is possible if the private key was copied to a USB stick and then PuTTY was used. Therefore, SSH is established on the server in the right way. The trouble comes up if the Yubikey should be used for ssh authentication. gpg --card-status show key and all sub-keys on the Yubikey. However, ssh-add -L shows the message: "Error connecting to agent: No such file or directory". My gpg-agent.conf is as follows:

enable-putty-support
enable-ssh-support
default-cache-ttl 120
max-cache-ttl 300

Details

Version
3-1-11
JW-D created this task.Sat, Jul 11, 2:12 PM
gniibe added a subscriber: gniibe.Tue, Jul 14, 3:59 AM

You mean running OpenSSH (and its tool ssh-add) on Windows, right?
It is not supported. PuTTY is supported.

JW-D added a comment.Tue, Jul 14, 8:06 AM

No, you are wrong, I speak not about OpenSSH!!! I speak from PuTTY. As explained in my first message, if I copy my ssh key on an USB stick and if I use PuTTY in combination with this stick, it is fine, I can connect to my server. If want to use my Yubikey 5NFC in combination with PuTTY, ssh authentication fail!

I believe, that the Yubikey is not recognized for some reasons. May the problem is that I have a build in smart card reader which I use commonly for Bitlocker disc encryption. If I insert my Yubikey and open the cmd window I can perform "gpg --card-status" and I see all sub-keys, including the authentication sub-key. I can also sign or encrypt/decrypt with my sub-keys in cleopatra. That is no problem at all. My only problem is the ssh authentication in combination with a Yubikey. If I open a cmd window, enter "gpg --card-status" I see the keys, if I enter " ssh-add -L" it shows the message: "Error connecting to agent: No such file or directory".

I am not quite sure whether it is a bug or a configuration problem due to the build-in smart card reader. Anyway Putty and Yubikey does not work together on my computer. I look forward to your reply!

So, where does "ssh-add" command come from? IIUC, it is from OpenSSH.

JW-D added a comment.Tue, Jul 14, 8:54 AM

Sorry, my fault. I found this command line in the internet (I am relatively new) so I mixed it up. Ok, skip ssh-add, it was my mistake! But the problem is that my Yubikey is not recognized by PuTTY in an ordinary ssh session. In the cmd window and in Cleopatra it works, but not with PuTTY.

A reference might help:
https://blogs.itemis.com/en/openpgp-on-the-job-part-8-ssh-with-openpgp-and-yubikey

Tips:

  • Never run pagent.exe, as it is the task of gpg-agent (with Yubikey) to handle authentication request
  • If you use OpenSSH, use ssh-pagent (instead of ssh-agent) which bridges OpenSSH's ssh-agent protocol to pagent protocol, so that authentication can be handled by gpg-agent with Yubikey
JW-D added a comment.Wed, Jul 15, 1:50 PM

I used already the mentioned blog ass base of my work. But the Yubikey is not recognized in ssh and I do not know how to mitigate.

I understood from your tips not run pagent.exe and that I should run instead ssh-pagent. How to do it? THANKS for the support!

werner added a subscriber: werner.Fri, Jul 17, 10:46 AM

iirc, you need to start gpg-agent before you use putty; thus do a "gpg -K" or "gpgconf --launch gpg-agent".

JW-D added a comment.Sat, Jul 18, 9:05 PM

I started "gpgconf --launch gpg-agent" and afterwards PuTTY. Then I am asked to "login as:". After entering the username, the error "PuTTY Fatal Error: No supported authentication methods available (server sent: publickey)" occurred.

Login by public key from an USB stick is still possible, but Yubikey fails.