I was setting up my sshd with certificate authorization. I tried to sign my ed25519 key on my yubikey, but when I tried to log in with this cert, it failed.
It works fine with secp256&384&512 key on smart card and ed25519 key stored locally. I tried on my yubikey 5 and canokey, and they both failed.
I found https://bugs.archlinux.org/task/74423 but it didn't work for me.
- package version(s)
gnupg 2.2.39-1 openssh 9.1p1-1
- config and/or log files etc.
- link to upstream bug report, if any
Steps to reproduce:
- Set up gpg-agent normally
- Create a user CA
ssh-keygen -t ed25519 -f user_ca -C user_ca
- Add CA pubkey to server
sed 's/^/cert-authority /' user_ca.pub >> ~/.ssh/authorized_keys
- Add a ed25519 A key to a gpg smart card and export its ssh public key to id_ed25519.pub
- Sign a certificate for the ssh pubkey above
ssh-keygen -s user_ca -I user -n USERNAME id_ed25519.pub
- Login with the certificate
ssh -i id_ed25519-cert.pub localhost
Then it will show 'sign_and_send_pubkey: signing failed for ED25519 "cardno:xxxxxx": agent refused operation'.