Page MenuHome GnuPG
Create Task
Maniphest T5494

gpg-agent doesn't support security-key (sk) key types
Open, LowPublic
Actions

Description

When trying to add an ecdsa-sk key to gpg-agent via ssh-add, I'm getting an error:

$ ssh-add ~/.ssh/id_ecdsa_sk
Could not add identity "/Users/sven/.ssh/id_ecdsa_sk": agent refused operation

With debug-level advanced, the log shows

2021-06-18 19:44:19 gpg-agent[43421] ssh handler 0x70000c035000 for fd 8 started
2021-06-18 19:44:19 gpg-agent[43421] ssh request handler for add_identity (25) started
2021-06-18 19:44:19 gpg-agent[43421] ssh request handler for add_identity (25) ready
2021-06-18 19:44:19 gpg-agent[43421] ssh handler 0x70000c035000 for fd 8 terminated

The key was created like so: ssh-keygen -t ecdsa-sk with a Yubico YubiKey OTP FIDO CCID.

I couldn't find a ticket for this. If this is a duplicate, feel free to close the ticket.

Details

Version
2.3.1

Event Timeline

svenschwermer created this task.Jun 18 2021, 7:48 PM
svenschwermer updated the task description. (Show Details)
werner triaged this task as Low priority.Jun 18 2021, 11:31 PM
werner added a subscriber: werner.

ggp-agent has no support for U2F and it can't work with these key types. Given that Yubikeys also have proper keys (even eddsa) I doubt that we will implement support for ecdsa-sk OpenSSH feature any time soon,

calebj added a subscriber: calebj.Jul 13 2021, 7:28 AM
rhansen added a subscriber: rhansen.Sep 9 2021, 11:13 AM

How difficult would it be to teach gpg-agent to fall back to another SSH agent if given an unsupported key?

I use gpg-agent for some hosts and OpenSSH's ssh-agent for others (via the IdentityAgent option) so that I can use a mix of OpenPGP card-backed keys and FIDO U2F (ecdsa-sk) keys. This mostly works, except when I use agent forwarding (ssh -A) and need to use both types of keys on the remote host.

Related feature request to add agent fallback to yubikey-agent: https://github.com/FiloSottile/yubikey-agent/issues/19

werner added a project: gnupg (gpg23).Sep 9 2021, 1:03 PM

Interesting idea.

I would actually like to implement this but before I do this I would like to get my pass-envvar-to-gpg-agent patches into OpenSSH. This might need some more support from others. See http://lists.mindrot.org/pipermail/openssh-unix-dev/2021-January/039045.html

motp added a subscriber: motp.Feb 8 2022, 4:40 PM

It would be awesome if you could implement this \o/

Like rhansen, we are using OpenPGP card-backed keys, but would like to add FIDO U2F (ecdsa-sk)
keys for some systems as well without loosing the agent forwarding feature :-)

heirecka added a subscriber: heirecka.Nov 9 2022, 1:23 PM
werner added a project: gnupg24.Dec 13 2022, 11:21 AM