Page MenuHome GnuPG
Projects ssh

sshProject
ActivePublic
Watch Project

Members (1)

Watchers (1)

Recent Activity
View All

Wed, Apr 1

jpalus added a comment to T8202: Intermittent ssh publickey login failure after upgrade to gnupg 2.5.x.

Great spotting! This was it. Quite embarrassing that I've looked at this code so many time yet it didn't cross my mind to double check arguments order.

Wed, Apr 1, 1:27 PM · gpgagent, ssh, Bug Report
gniibe triaged T8202: Intermittent ssh publickey login failure after upgrade to gnupg 2.5.x as Normal priority.

@jpalus You are right.

Wed, Apr 1, 4:30 AM · gpgagent, ssh, Bug Report
gniibe added a comment to T8202: Intermittent ssh publickey login failure after upgrade to gnupg 2.5.x.

computed by ssh_signature_encoder_rsa, including additional 0, reach:

Wed, Apr 1, 4:16 AM · gpgagent, ssh, Bug Report

Tue, Mar 31

jpalus added a comment to T8202: Intermittent ssh publickey login failure after upgrade to gnupg 2.5.x.

Note that exactly same data and length computed by ssh_signature_encoder_rsa, including additional 0, reach:
https://github.com/openssh/openssh-portable/blob/V_10_2_P1/sshkey.c#L517-L537

Tue, Mar 31, 6:38 PM · gpgagent, ssh, Bug Report
werner assigned T8202: Intermittent ssh publickey login failure after upgrade to gnupg 2.5.x to gniibe.

Let's see whether Niibe-san still remembers the T7882 case.

Tue, Mar 31, 3:23 PM · gpgagent, ssh, Bug Report
jpalus added a comment to T8202: Intermittent ssh publickey login failure after upgrade to gnupg 2.5.x.

Added to some debug logging and whenever login issue occurs new logic is applied:
https://github.com/gpg/gnupg/blob/bc7c91bee521e4adf3506ca32bf34177b84ce1c5/agent/command-ssh.c#L1482

Tue, Mar 31, 1:50 PM · gpgagent, ssh, Bug Report
jpalus added a comment to T8202: Intermittent ssh publickey login failure after upgrade to gnupg 2.5.x.

Looks like indeed related to T7882. After reverting c7e0ec12609b401ea81c4851522d86eb5ec27170 I was able to make 2000 connections without any issue. Bringing the change back and retrying issue appeared within first 300.

Tue, Mar 31, 1:21 PM · gpgagent, ssh, Bug Report
jpalus added a comment to T8202: Intermittent ssh publickey login failure after upgrade to gnupg 2.5.x.

I've already tried with verbose which gave no errors. That's why I moved to debug logging. With double verbose I don't see anything wrong either. Excerpt from log for relevant 100 connections among which 1 failed:

$ cat gpg.log | 
    sed 's/.*gpg-agent\[[0-9]*\] //'  | # remove date, time and process id                            
    grep -v 'ssh handler .* \(started\|terminated\)' | # appears to be mostly noise wit hex address
    sort|uniq -c
     80 new connection to /usr/libexec/gnupg2/scdaemon daemon established
     20 new connection to /usr/libexec/gnupg2/scdaemon daemon established (reusing)
    100 received ssh request of length 1
    100 received ssh request of length 208
    100 received ssh request of length 748
    100 sending ssh response of length 1
    100 sending ssh response of length 281
    100 sending ssh response of length 626
    100 ssh request handler for extension (27) ready
    100 ssh request handler for extension (27) started
    100 ssh request handler for request_identities (11) ready
    100 ssh request handler for request_identities (11) started
    100 ssh request handler for sign_request (13) ready
    100 ssh request handler for sign_request (13) started
    100 ssh-agent extension 'session-bind@openssh.com' not supported
    100 ssh-agent extension 'session-bind@openssh.com' received
Tue, Mar 31, 12:55 PM · gpgagent, ssh, Bug Report
werner added projects to T8202: Intermittent ssh publickey login failure after upgrade to gnupg 2.5.x: ssh, gpgagent.

You need to get a log form gpg-agent. Put this into ~/.gnupg/gpg-agent/conf

Tue, Mar 31, 12:06 PM · gpgagent, ssh, Bug Report

Jan 6 2026

the13thletter added a comment to T8013: gpgconf does not support the --enable-win32-openssh-support option for gpg-agent.

Frankly, he OpenSSH support for Windows was experimental and I have never tested it. If it can be confirmed that this really works and is useful, it will be easy to add the opeion to gpgconf.

Jan 6 2026, 10:04 PM · Feature Request, ssh, gnupg26, Windows
werner triaged T8013: gpgconf does not support the --enable-win32-openssh-support option for gpg-agent as Normal priority.

Frankly, he OpenSSH support for Windows was experimental and I have never tested it. If it can be confirmed that this really works and is useful, it will be easy to add the opeion to gpgconf. Note that the gpgconf option feature handles only a subset of all options on purpose.

Jan 6 2026, 8:53 AM · Feature Request, ssh, gnupg26, Windows

Nov 19 2025

werner closed T7882: `rsa-sha2` signature values are improperly truncated as Resolved.
Nov 19 2025, 5:42 PM · ssh, gpgagent, Bug Report

Nov 6 2025

gniibe added projects to T7882: `rsa-sha2` signature values are improperly truncated : gpgagent, ssh.
Nov 6 2025, 2:07 AM · ssh, gpgagent, Bug Report

Jul 17 2025

gniibe closed T7589: Unable to export SSH keys for ED25519 keys generate on a SmartCard as Resolved.
Jul 17 2025, 4:26 AM · gnupg, ssh, Bug Report

Jun 5 2025

gniibe added a comment to T7589: Unable to export SSH keys for ED25519 keys generate on a SmartCard.

The problem was: In scdaemon, PKSIGN with OPENPGP.3 didn't work well for Ed25519 (done by do_auth function in app-openpgp.c), when --hash=sha512 (not SHA1).

Jun 5 2025, 2:52 AM · gnupg, ssh, Bug Report

Jun 4 2025

gniibe changed the status of T7589: Unable to export SSH keys for ED25519 keys generate on a SmartCard from Open to Testing.

I located the bug in scdaemon.

Jun 4 2025, 6:58 AM · gnupg, ssh, Bug Report

Jun 2 2025

gniibe claimed T7589: Unable to export SSH keys for ED25519 keys generate on a SmartCard.
Jun 2 2025, 6:38 AM · gnupg, ssh, Bug Report

May 14 2025

werner added a comment to T7589: Unable to export SSH keys for ED25519 keys generate on a SmartCard.

Using the primary key for ssh was not intended and thus not tested. I have not yet found the time too look closer at your report. Just one remark:

May 14 2025, 12:32 PM · gnupg, ssh, Bug Report
werner added a project to T7589: Unable to export SSH keys for ED25519 keys generate on a SmartCard: gnupg.
May 14 2025, 12:07 PM · gnupg, ssh, Bug Report

May 2 2025

werner added a project to T7589: Unable to export SSH keys for ED25519 keys generate on a SmartCard: ssh.
May 2 2025, 10:31 AM · gnupg, ssh, Bug Report

Feb 5 2025

werner renamed T7505: SSH agent failing "agent refused operation" due to Bitwarden from SSH agent failing "agent refused operation" to SSH agent failing "agent refused operation" due to Bitwarden.
Feb 5 2025, 2:17 PM · ssh, FAQ, gpg4win
werner edited projects for T7505: SSH agent failing "agent refused operation" due to Bitwarden, added: FAQ, ssh; removed Bug Report.

Thanks for that info. I tag it as FAQ and change the subject in case someone searches for such a problem.

Feb 5 2025, 2:16 PM · ssh, FAQ, gpg4win

Jan 10 2025

gniibe closed T7436: Allow ssh to sign data larger than the assuan line length. as Resolved.

Fixed in 2.5.2.

Jan 10 2025, 8:00 AM · ssh, Feature Request, gnupg26

Dec 6 2024

gniibe changed the status of T7436: Allow ssh to sign data larger than the assuan line length. from Open to Testing.
Dec 6 2024, 6:32 AM · ssh, Feature Request, gnupg26

Dec 5 2024

gniibe claimed T7436: Allow ssh to sign data larger than the assuan line length..
Dec 5 2024, 7:02 AM · ssh, Feature Request, gnupg26

Dec 3 2024

werner renamed T7436: Allow ssh to sign data larger than the assuan line length. from Allow ssh to sign larger data than the assuan line length. to Allow ssh to sign data larger than the assuan line length..
Dec 3 2024, 4:18 PM · ssh, Feature Request, gnupg26
ebo renamed T7436: Allow ssh to sign data larger than the assuan line length. from Allow ssh to sign larger data tha the assuan line length. to Allow ssh to sign larger data than the assuan line length..
Dec 3 2024, 4:14 PM · ssh, Feature Request, gnupg26
werner triaged T7436: Allow ssh to sign data larger than the assuan line length. as Normal priority.
Dec 3 2024, 3:31 PM · ssh, Feature Request, gnupg26

Dec 2 2024

gniibe closed T5931: OpenSSH 8.9, 9.0, and 9.1 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required) as Resolved.

Closed, since this was documentation for the workaround, four years ago.

Dec 2 2024, 9:52 AM · gnupg24, workaround, Documentation, gnupg (gpg23), ssh, gpgagent
werner added a comment to T5931: OpenSSH 8.9, 9.0, and 9.1 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required).

Just a reminder: with Gnuk 1.2.15 and an ed25519 key PubkeyAuthentication unbound is required for hosts using the new feature.

Dec 2 2024, 9:35 AM · gnupg24, workaround, Documentation, gnupg (gpg23), ssh, gpgagent

Mar 4 2024

Zymlex added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

In case if someone finds it through a search:

Mar 4 2024, 9:51 PM · Not A Bug, workaround, gnupg24, Windows, ssh

Feb 21 2024

werner closed T5084: Using GPGWin 3.1.13, Putty fails to load the private key from a YubiKey as Resolved.

Closing due to age and because gpg4win 4 started to using the much improved GnuPG 2.4

Feb 21 2024, 5:45 PM · gnupg, ssh, Bug Report, gpg4win

Jan 5 2024

werner moved T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent from Backlog to done on the gnupg24 board.
Jan 5 2024, 12:04 PM · Not A Bug, workaround, gnupg24, Windows, ssh

Oct 16 2023

werner triaged T6756: max-cache-ttl-ssh overrides max-cache-ttl as Low priority.
Oct 16 2023, 1:24 PM · MacOS, gpgagent, ssh, Bug Report

Oct 10 2023

memeplex updated the task description for T6756: max-cache-ttl-ssh overrides max-cache-ttl.
Oct 10 2023, 2:20 PM · MacOS, gpgagent, ssh, Bug Report
memeplex updated the task description for T6756: max-cache-ttl-ssh overrides max-cache-ttl.
Oct 10 2023, 2:19 PM · MacOS, gpgagent, ssh, Bug Report
memeplex created T6756: max-cache-ttl-ssh overrides max-cache-ttl.
Oct 10 2023, 2:13 PM · MacOS, gpgagent, ssh, Bug Report

Sep 26 2023

jplejacq added a comment to T6250: GPG-Agent doesn't work properly with smart cards and ed25519 keys and SSH Agent.

Here's another data point.

Sep 26 2023, 4:13 PM · gnupg, Documentation, ssh

Aug 28 2023

kelseyradley added a comment to T5794: Cannot add ed25519 SSH key with empty comment.
Aug 28 2023, 6:28 AM · ssh, gnupg (gpg22), Bug Report
kelseyradley added a comment to T2760: Populate comment field when exporting authentication key for SSH.
Aug 28 2023, 6:27 AM · gnupg24, ssh, Feature Request

May 26 2023

werner edited projects for T6250: GPG-Agent doesn't work properly with smart cards and ed25519 keys and SSH Agent, added: gnupg; removed gnupg24.
May 26 2023, 10:03 AM · gnupg, Documentation, ssh

Apr 26 2023

ebo closed T6212: The ssh keys are no longer returned in the order from control file after T5996 as Resolved.
Apr 26 2023, 9:20 AM · gnupg24 (gnupg-2.4.1), ssh, Feature Request

Apr 18 2023

werner moved T6212: The ssh keys are no longer returned in the order from control file after T5996 from QA to gnupg-2.4.1 on the gnupg24 board.
Apr 18 2023, 9:42 AM · gnupg24 (gnupg-2.4.1), ssh, Feature Request

Feb 1 2023

werner changed the status of T6212: The ssh keys are no longer returned in the order from control file after T5996 from Open to Testing.
Feb 1 2023, 9:36 AM · gnupg24 (gnupg-2.4.1), ssh, Feature Request
werner moved T6212: The ssh keys are no longer returned in the order from control file after T5996 from QA to WiP on the gnupg24 board.
Feb 1 2023, 9:36 AM · gnupg24 (gnupg-2.4.1), ssh, Feature Request
werner moved T6212: The ssh keys are no longer returned in the order from control file after T5996 from WiP to QA on the gnupg24 board.

See the the commit for a description of the changes.

Feb 1 2023, 9:29 AM · gnupg24 (gnupg-2.4.1), ssh, Feature Request
gniibe added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

@MathiasMagnus This change is to support Win32-OpenSSH by gpg-agent emulation of ssh-agent; You can use gpg-agent emulation of ssh-agent when you use Win32-OpenSSH. That is, you can use GPG auth subkey for Win32-OpenSSH.

Feb 1 2023, 6:03 AM · Not A Bug, workaround, gnupg24, Windows, ssh

Jan 31 2023

werner moved T6212: The ssh keys are no longer returned in the order from control file after T5996 from Backlog to WiP on the gnupg24 board.
Jan 31 2023, 12:40 PM · gnupg24 (gnupg-2.4.1), ssh, Feature Request
MathiasMagnus added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

@gniibe Am I misunderstanding something? I thought that with this change one is able to connect from a Windows box to a Linux box and have GPG agent forwarding work. I am still hitting pretty much the same issue described here: https://github.com/PowerShell/Win32-OpenSSH/issues/1564
On my Windows endpoint I'm running gpg.exe version 2.4.0.49237 and in C:\Users\mate\AppData\Roaming\gnupg\gpg-agent.conf I have a single line enable-win32-openssh-support. Running gpg-connect-agent.exe reloadagent /bye I have a gpg-agent running. Get-Process gpg-agent shows that it's running. In my Windows env I have SSH_AUTH_SOCK set to \\.\pipe\openssh-ssh-agent and my Linux endpoint is configured in SSH config with

ForwardAgent yes
AddKeysToAgent yes
RemoteForward /run/user/1015/gnupg/S.gpg-agent C\:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra

As the remote end reports /run/user/1015/gnupg/S.gpg-agent that socket for agent-socket when issuing gpgconf --list-dirs and my local gpgconfg.exe --list-dirs reports C%3a\Users\mate\AppData\Local\gnupg\S.gpg-agent.extra where I transform %3a to \: manually. SSH authentication works perfectly, when connecting pinentry-qt pops up to unlock my key and when connecting to yet another machine, my SSH agent is forwarded again. However, gpg fails to use my agent. Issuing gpg --list-secret-keys --verbose prints the following to the console:

gpg --list-secret-keys --verbose
gpg: using pgp trust model
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
gpg: no running gpg-agent - starting '/usr/bin/gpg-agent'
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
gpg: waiting for the agent to come up ... (5s)
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
gpg: waiting for the agent to come up ... (4s)
gpg: waiting for the agent to come up ... (3s)
gpg: waiting for the agent to come up ... (2s)
gpg: waiting for the agent to come up ... (1s)
gpg: can't connect to the agent: End of file

What is missing to tie the knot on both ends without having to resort to 3rd party tools like @rupor-github 's agent-gui? The remote gpg version is 2.2.19, is that the issue? Must that also be 2.3.9+?

Jan 31 2023, 10:35 AM · Not A Bug, workaround, gnupg24, Windows, ssh

Jan 24 2023

werner added a comment to T6212: The ssh keys are no longer returned in the order from control file after T5996.

Let's first collect all keys, assign a priority, sort, and only then send them back to ssh.

Jan 24 2023, 10:06 AM · gnupg24 (gnupg-2.4.1), ssh, Feature Request