Page MenuHome GnuPG

OpenSSH 8.9 and 9.0 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required)
Open, NormalPublic

Description

Since updating openssh to 8.9p1-1 (on archlinux), I can't authenticate via gpg-agent using a USB hardware token.

gpg-agent shows the pinentry dialog, but then ssh says:
sign_and_send_pubkey: signing failed for ED25519 "cardno:***" from agent: agent refused operation

Downgrading to openssh-8.8p1-1 fixes it.

Updating gnupg from 2.2.32 to 2.2.33 or 2.2.34 (by manually editing the gnupg PKGBUILD since the archlinux version is out of date) and doing "gpgconf --kill gpg-agent", "gpgconf --launch gpg-agent" did not fix it.

I have this in my environment:
SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh

and enable-ssh-support in ~/.gnupg/gpg-agent.conf
and it has worked fine until now.

I'm guessing from comments on the archlinux bug report that this is related: https://www.openssh.com/agent-restrict.html

I'm reporting here on the assumption that the ABI/API break in openssh's agent API is intended and gnupg needs fixing to handle it (though the breakage on openssh's part clearly sucks for users)!

Details

External Link
https://bugs.archlinux.org/task/74143
Version
2.2.34

Event Timeline

amalon created this object in space S1 Public.
werner triaged this task as High priority.Apr 14 2022, 12:36 PM
werner added a project: gnupg (gpg23).
werner added a subscriber: werner.

I have not yet tested OpenSSH 9 and thus the patch to master is here just as a test. Please better use gnupg 2.3 (stable) instead of 2.2 (LTS) because it is unlikely that we will backport all this new ssh stuff.

werner lowered the priority of this task from High to Normal.Apr 28 2022, 8:55 AM
werner added a project: Testing.

FYI, I built 2.3.6 using a modified archlinux PKGBUILD (& disabling patches to avoid conflicts), then did:
gpgconf --kill gpg-agent
gpgconf --launch gpg-agent
but ssh still fails as before

Please describe what token is used. For my use cases with rGe8fb8e2b3e66: scd: Don't inhibit SSH authentication for larger data if it can., both of Gnuk (>= 1.2.16) and Yubikey (>= 5) work well.

Its a nitrokey start. I gave it another spin just to make sure, and again when updating to openssh 9.0 and "gpg (GnuPG) 2.3.6-unknown", it fails (again with careful gpgconf --kill gpg-agent etc. Double checked the downloaded source code by arch's makepkg, appears to have that patch applied. Also tried adding -o KexAlgorithms=-sntrup761x25519-sha512@openssh.com to the ssh command, which didn't help.

I don't know what other relevant info about the card i can give. It has ed25519 keys on it.

Nitrokey Start uses Gnuk as its firmware. You need to upgrade its firmware to version 1.2.16 or newer.
Please note that when upgrading the firmware, your keys will be removed.

Changed the tags and the title.

gniibe renamed this task from OpenSSH 8.9 and 9.0 can't authenticate with gpg-agent and usb token to OpenSSH 8.9 and 9.0 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required).Jul 12 2022, 3:26 AM