Page MenuHome GnuPG

sshProject
ActivePublic

Recent Activity

Tue, May 3

gniibe added a comment to T5931: OpenSSH 8.9 and 9.0 can't authenticate with gpg-agent and usb token.

Nitrokey Start uses Gnuk as its firmware. You need to upgrade its firmware to version 1.2.16 or newer.
Please note that when upgrading the firmware, your keys will be removed.

Tue, May 3, 10:43 AM · Testing, gnupg (gpg23), ssh, gpgagent

Mon, May 2

amalon added a comment to T5931: OpenSSH 8.9 and 9.0 can't authenticate with gpg-agent and usb token.

Its a nitrokey start. I gave it another spin just to make sure, and again when updating to openssh 9.0 and "gpg (GnuPG) 2.3.6-unknown", it fails (again with careful gpgconf --kill gpg-agent etc. Double checked the downloaded source code by arch's makepkg, appears to have that patch applied. Also tried adding -o KexAlgorithms=-sntrup761x25519-sha512@openssh.com to the ssh command, which didn't help.

Mon, May 2, 10:36 PM · Testing, gnupg (gpg23), ssh, gpgagent
werner added a project to T5935: scd: SSH emulation of gpg-agent doesn't work well with sntrup761x25519-sha512@openssh.com: workaround.
Mon, May 2, 10:19 AM · workaround, Testing, gnupg (gpg23), ssh, Bug Report, scd
gniibe added a comment to T5935: scd: SSH emulation of gpg-agent doesn't work well with sntrup761x25519-sha512@openssh.com.
KexAlgorithms -sntrup761x25519-sha512@openssh.com
Mon, May 2, 10:17 AM · workaround, Testing, gnupg (gpg23), ssh, Bug Report, scd
gniibe added a comment to T5931: OpenSSH 8.9 and 9.0 can't authenticate with gpg-agent and usb token.

Please describe what token is used. For my use cases with rGe8fb8e2b3e66: scd: Don't inhibit SSH authentication for larger data if it can., both of Gnuk (>= 1.2.16) and Yubikey (>= 5) work well.

Mon, May 2, 1:53 AM · Testing, gnupg (gpg23), ssh, gpgagent

Fri, Apr 29

dkg added a comment to T5931: OpenSSH 8.9 and 9.0 can't authenticate with gpg-agent and usb token.

this looks similar to https://dev.gnupg.org/T5935 and https://bugs.debian.org/1008573

Fri, Apr 29, 6:24 PM · Testing, gnupg (gpg23), ssh, gpgagent

Thu, Apr 28

amalon added a comment to T5931: OpenSSH 8.9 and 9.0 can't authenticate with gpg-agent and usb token.

FYI, I built 2.3.6 using a modified archlinux PKGBUILD (& disabling patches to avoid conflicts), then did:
gpgconf --kill gpg-agent
gpgconf --launch gpg-agent
but ssh still fails as before

Thu, Apr 28, 9:16 AM · Testing, gnupg (gpg23), ssh, gpgagent
werner lowered the priority of T5931: OpenSSH 8.9 and 9.0 can't authenticate with gpg-agent and usb token from High to Normal.
Thu, Apr 28, 8:55 AM · Testing, gnupg (gpg23), ssh, gpgagent

Tue, Apr 26

gniibe added a comment to T5935: scd: SSH emulation of gpg-agent doesn't work well with sntrup761x25519-sha512@openssh.com.

My Yubikey (Yubico.com Yubikey 4/5 OTP+U2F+CCID) works fine with OpenSSH using kex of sntrup761x25519-sha512@openssh.com.

Tue, Apr 26, 7:44 AM · workaround, Testing, gnupg (gpg23), ssh, Bug Report, scd

Mon, Apr 25

gniibe added a comment to T5935: scd: SSH emulation of gpg-agent doesn't work well with sntrup761x25519-sha512@openssh.com.

Sorry, I was confused. For RSA-4096, data is hashed by gpg-agent and hashed data is signed by a card.

Mon, Apr 25, 9:51 AM · workaround, Testing, gnupg (gpg23), ssh, Bug Report, scd
werner added a comment to T5935: scd: SSH emulation of gpg-agent doesn't work well with sntrup761x25519-sha512@openssh.com.

We are using rsa-4096 on smartcard for quite some time; so I wonder what's the problem here. Is that that we don't use our Assuan hack for large key material with OpenPGP.3?

Mon, Apr 25, 8:07 AM · workaround, Testing, gnupg (gpg23), ssh, Bug Report, scd
gniibe added a comment to T5935: scd: SSH emulation of gpg-agent doesn't work well with sntrup761x25519-sha512@openssh.com.

There is another case: RSA-4096 key. scdaemon rejects data by Invalid value. Unfortunately, there is no fix for this, as it's really too large. Even if scdaemon allows larger data, the card implementation rejects, when it conforms to PKCS #1 standard (data should not be larger than 40% of the modulus).

Mon, Apr 25, 4:35 AM · workaround, Testing, gnupg (gpg23), ssh, Bug Report, scd

Fri, Apr 22

gniibe added a project to T5935: scd: SSH emulation of gpg-agent doesn't work well with sntrup761x25519-sha512@openssh.com: Testing.
Fri, Apr 22, 6:50 AM · workaround, Testing, gnupg (gpg23), ssh, Bug Report, scd
gniibe added a comment to T5935: scd: SSH emulation of gpg-agent doesn't work well with sntrup761x25519-sha512@openssh.com.

I confirmed that the patch above works with newer Gnuk (>= 1.2.16).

Fri, Apr 22, 4:49 AM · workaround, Testing, gnupg (gpg23), ssh, Bug Report, scd

Thu, Apr 21

werner added a project to T5935: scd: SSH emulation of gpg-agent doesn't work well with sntrup761x25519-sha512@openssh.com: gnupg (gpg23).
Thu, Apr 21, 7:35 AM · workaround, Testing, gnupg (gpg23), ssh, Bug Report, scd
werner triaged T5935: scd: SSH emulation of gpg-agent doesn't work well with sntrup761x25519-sha512@openssh.com as Normal priority.
Thu, Apr 21, 7:35 AM · workaround, Testing, gnupg (gpg23), ssh, Bug Report, scd

Apr 14 2022

werner triaged T5931: OpenSSH 8.9 and 9.0 can't authenticate with gpg-agent and usb token as High priority.

I have not yet tested OpenSSH 9 and thus the patch to master is here just as a test. Please better use gnupg 2.3 (stable) instead of 2.2 (LTS) because it is unlikely that we will backport all this new ssh stuff.

Apr 14 2022, 12:36 PM · Testing, gnupg (gpg23), ssh, gpgagent
amalon created T5931: OpenSSH 8.9 and 9.0 can't authenticate with gpg-agent and usb token.
Apr 14 2022, 9:17 AM · Testing, gnupg (gpg23), ssh, gpgagent

Feb 8 2022

motp added a comment to T5494: gpg-agent doesn't support security-key (sk) key types.

It would be awesome if you could implement this \o/

Feb 8 2022, 4:40 PM · gnupg (gpg23), Feature Request, ssh

Jan 28 2022

werner closed T5794: Cannot add ed25519 SSH key with empty comment as Resolved.

Thanks for the report. To keep things easy the empty comment is now translated to "(none)".

Jan 28 2022, 8:03 PM · ssh, gnupg (gpg22), Bug Report

Jan 21 2022

werner claimed T5794: Cannot add ed25519 SSH key with empty comment.
Jan 21 2022, 1:09 PM · ssh, gnupg (gpg22), Bug Report

Jan 10 2022

andrewgdotcom added a watcher for ssh: andrewgdotcom.
Jan 10 2022, 12:04 PM

Nov 23 2021

werner closed T5682: ed25519 internal authenticate with openpgpcard may send long data over short apdu as Resolved.
Nov 23 2021, 1:26 PM · Testing, scd, ssh, Bug Report

Nov 16 2021

werner changed the status of T5682: ed25519 internal authenticate with openpgpcard may send long data over short apdu from Open to Testing.
Nov 16 2021, 5:24 PM · Testing, scd, ssh, Bug Report

Nov 15 2021

gniibe added a project to T5682: ed25519 internal authenticate with openpgpcard may send long data over short apdu: Testing.
Nov 15 2021, 3:53 AM · Testing, scd, ssh, Bug Report
gniibe added a comment to T5682: ed25519 internal authenticate with openpgpcard may send long data over short apdu.

Adding the check on host side, I pushed the change: rGa575b0aba542: scd:openpgp: Support longer data for INTERNAL_AUTHENTICATE.

Nov 15 2021, 3:53 AM · Testing, scd, ssh, Bug Report

Nov 12 2021

werner triaged T5682: ed25519 internal authenticate with openpgpcard may send long data over short apdu as High priority.
Nov 12 2021, 12:53 PM · Testing, scd, ssh, Bug Report

Oct 13 2021

bernhard added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

@rupor-github no problem for the delay. Thanks for explaining!

Oct 13 2021, 9:00 AM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request

Oct 12 2021

rupor-github added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

@bernhard Sorry for the delayed answer, was on sabbatical.

Oct 12 2021, 4:56 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request

Sep 29 2021

bernhard added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

@rupor-github no problem! :)

Sep 29 2021, 3:50 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request

Sep 28 2021

rupor-github added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

@bernhard thank you for explaining, did not mean to offend anybody. Before creating win-gpg-agent I tried to read as much as I could on a history and obviously had to study source a bit. Be it as it may - I decided to have separate wrapper, rather then contributing directly to gpg code base. There is noticable number of use cases on Windows which presently not addressed, some I believe are sitting it the queue already.

Sep 28 2021, 6:53 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request
bernhard added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

@rupor-github thanks for your explanations and the contribution to the GnuPG and crypto Free Software code base!

Sep 28 2021, 5:58 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request
rupor-github added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Since Windows user naively could expect multiple methods of accessing certificates from different programs (or sometimes from the same program but different supported environments, like Git4Win and git in WSL) to work together transparently, win-gpg-agent covers translation of one accidentally supported method (32 bit putty shared memory) to multiple unsupported ones (named pipe, cygwin, etc). It also takes care of managing gpg-agent.exe lifetime tying it to user login session for convenience. It uses command line parameters to only to overwrite staff critical to its functionality and does not prevent user from having configuration file(s). Optionally it provides pinentry which is integrated with Windows native Crypto Vault and UX rather than using wonderful QT or GTK. As specified in documentation when developers of gpg and WIndows will get their act together and figure out what they want and how they want it - most of functionality would not be needed. I would like to point out that simply claiming superiority and not supporting cygwin (Git4Win) or working Assuan ssh socket or putty shared memory in 64 bits Windows build does not help with user experience a single bit.

Sep 28 2021, 4:34 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request
werner added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Lots of detailed documentation but frankly, after a brief read I have not yet figured out what it really does. We won't support Cygwin stuff - this is all obsolete and awe also removed starting gpg-agent as a service for good reasons. Instead of starting gpg-agent with lot of command line args it would be better to put this into a per user or system wide config file.

Sep 28 2021, 10:13 AM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request
bernhard added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

There is a user report that got things to work with https://github.com/rupor-github/win-gpg-agent
on https://wald.intevation.org/forum/forum.php?thread_id=2359&forum_id=21&group_id=11

Sep 28 2021, 9:03 AM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request

Sep 13 2021

FierzvID added a member for ssh: FierzvID.
Sep 13 2021, 10:47 PM

Sep 9 2021

werner added a project to T5494: gpg-agent doesn't support security-key (sk) key types: gnupg (gpg23).

Interesting idea.

Sep 9 2021, 1:03 PM · gnupg (gpg23), Feature Request, ssh
rhansen added a comment to T5494: gpg-agent doesn't support security-key (sk) key types.

How difficult would it be to teach gpg-agent to fall back to another SSH agent if given an unsupported key?

Sep 9 2021, 11:13 AM · gnupg (gpg23), Feature Request, ssh

Aug 13 2021

werner changed the edit policy for ssh.
Aug 13 2021, 11:15 PM

Jun 18 2021

werner triaged T5494: gpg-agent doesn't support security-key (sk) key types as Low priority.

ggp-agent has no support for U2F and it can't work with these key types. Given that Yubikeys also have proper keys (even eddsa) I doubt that we will implement support for ecdsa-sk OpenSSH feature any time soon,

Jun 18 2021, 11:31 PM · gnupg (gpg23), Feature Request, ssh
svenschwermer updated the task description for T5494: gpg-agent doesn't support security-key (sk) key types.
Jun 18 2021, 7:50 PM · gnupg (gpg23), Feature Request, ssh
svenschwermer created T5494: gpg-agent doesn't support security-key (sk) key types.
Jun 18 2021, 7:48 PM · gnupg (gpg23), Feature Request, ssh

Feb 17 2021

gniibe closed T5041: gpg-agent/scdaemon/gnuk unable to sign ssh certificate (Couldn't certify key … via agent: agent refused operation) as Resolved.
Feb 17 2021, 9:02 AM · Testing, ssh, Bug Report

Feb 10 2021

werner lowered the priority of T2760: Populate comment field when exporting authentication key for SSH from Normal to Wishlist.
Feb 10 2021, 11:05 AM · ssh, gnupg (gpg23), Feature Request

Jan 8 2021

werner closed T5167: GnuPG 2.25 still have problems related to Yubikey NEO. as Resolved.
Jan 8 2021, 9:58 AM · gnupg (gpg22), yubikey, ssh, scd, Bug Report

Jan 7 2021

jgentil added a comment to T5084: Using GPGWin 3.1.13, Putty fails to load the private key from a YubiKey.

I'm also getting this same error with GPG4Win 3.1.14.

Jan 7 2021, 4:10 PM · gnupg, ssh, Bug Report, gpg4win

Jan 6 2021

rupor-github added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

I wrote https://github.com/rupor-github/win-gpg-agent to simplify usage on Windows until this issue is resolved - it handles various edge cases on Windows.

Jan 6 2021, 7:25 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request

Jan 5 2021

werner triaged T4992: ssh Yubikey not recognized, but Yubikey works with GPG well as Normal priority.
Jan 5 2021, 9:35 AM · ssh, yubikey, Bug Report, gpg4win

Dec 23 2020

gbschenkel added a comment to T5167: GnuPG 2.25 still have problems related to Yubikey NEO..

Already have set another, thanks gnibe! See ya!

Dec 23 2020, 2:27 AM · gnupg (gpg22), yubikey, ssh, scd, Bug Report
gniibe added a comment to T5167: GnuPG 2.25 still have problems related to Yubikey NEO..

Please change your passphrase for your card, BTW.

Dec 23 2020, 1:31 AM · gnupg (gpg22), yubikey, ssh, scd, Bug Report