Page MenuHome GnuPG

gpg-agent doesn't support security-key (sk) key types
Open, LowPublic

Description

When trying to add an ecdsa-sk key to gpg-agent via ssh-add, I'm getting an error:

$ ssh-add ~/.ssh/id_ecdsa_sk
Could not add identity "/Users/sven/.ssh/id_ecdsa_sk": agent refused operation

With debug-level advanced, the log shows

2021-06-18 19:44:19 gpg-agent[43421] ssh handler 0x70000c035000 for fd 8 started
2021-06-18 19:44:19 gpg-agent[43421] ssh request handler for add_identity (25) started
2021-06-18 19:44:19 gpg-agent[43421] ssh request handler for add_identity (25) ready
2021-06-18 19:44:19 gpg-agent[43421] ssh handler 0x70000c035000 for fd 8 terminated

The key was created like so: ssh-keygen -t ecdsa-sk with a Yubico YubiKey OTP FIDO CCID.

I couldn't find a ticket for this. If this is a duplicate, feel free to close the ticket.

Details

Version
2.3.1

Event Timeline

werner added a subscriber: werner.

ggp-agent has no support for U2F and it can't work with these key types. Given that Yubikeys also have proper keys (even eddsa) I doubt that we will implement support for ecdsa-sk OpenSSH feature any time soon,

How difficult would it be to teach gpg-agent to fall back to another SSH agent if given an unsupported key?

I use gpg-agent for some hosts and OpenSSH's ssh-agent for others (via the IdentityAgent option) so that I can use a mix of OpenPGP card-backed keys and FIDO U2F (ecdsa-sk) keys. This mostly works, except when I use agent forwarding (ssh -A) and need to use both types of keys on the remote host.

Related feature request to add agent fallback to yubikey-agent: https://github.com/FiloSottile/yubikey-agent/issues/19

Interesting idea.

I would actually like to implement this but before I do this I would like to get my pass-envvar-to-gpg-agent patches into OpenSSH. This might need some more support from others. See http://lists.mindrot.org/pipermail/openssh-unix-dev/2021-January/039045.html