Page MenuHome GnuPG

sshProject
ActivePublic

Recent Activity

Wed, Feb 1

werner changed the status of T6212: The ssh keys are no longer returned in the order from control file after T5996 from Open to Testing.
Wed, Feb 1, 9:36 AM · gnupg24, ssh, Feature Request
werner moved T6212: The ssh keys are no longer returned in the order from control file after T5996 from QA to WiP on the gnupg24 board.
Wed, Feb 1, 9:36 AM · gnupg24, ssh, Feature Request
werner moved T6212: The ssh keys are no longer returned in the order from control file after T5996 from WiP to QA on the gnupg24 board.

See the the commit for a description of the changes.

Wed, Feb 1, 9:29 AM · gnupg24, ssh, Feature Request
gniibe added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

@MathiasMagnus This change is to support Win32-OpenSSH by gpg-agent emulation of ssh-agent; You can use gpg-agent emulation of ssh-agent when you use Win32-OpenSSH. That is, you can use GPG auth subkey for Win32-OpenSSH.

Wed, Feb 1, 6:03 AM · Not A Bug, workaround, gnupg24, Windows, ssh

Tue, Jan 31

werner moved T6212: The ssh keys are no longer returned in the order from control file after T5996 from Backlog to WiP on the gnupg24 board.
Tue, Jan 31, 12:40 PM · gnupg24, ssh, Feature Request
MathiasMagnus added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

@gniibe Am I misunderstanding something? I thought that with this change one is able to connect from a Windows box to a Linux box and have GPG agent forwarding work. I am still hitting pretty much the same issue described here: https://github.com/PowerShell/Win32-OpenSSH/issues/1564
On my Windows endpoint I'm running gpg.exe version 2.4.0.49237 and in C:\Users\mate\AppData\Roaming\gnupg\gpg-agent.conf I have a single line enable-win32-openssh-support. Running gpg-connect-agent.exe reloadagent /bye I have a gpg-agent running. Get-Process gpg-agent shows that it's running. In my Windows env I have SSH_AUTH_SOCK set to \\.\pipe\openssh-ssh-agent and my Linux endpoint is configured in SSH config with

ForwardAgent yes
AddKeysToAgent yes
RemoteForward /run/user/1015/gnupg/S.gpg-agent C\:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra

As the remote end reports /run/user/1015/gnupg/S.gpg-agent that socket for agent-socket when issuing gpgconf --list-dirs and my local gpgconfg.exe --list-dirs reports C%3a\Users\mate\AppData\Local\gnupg\S.gpg-agent.extra where I transform %3a to \: manually. SSH authentication works perfectly, when connecting pinentry-qt pops up to unlock my key and when connecting to yet another machine, my SSH agent is forwarded again. However, gpg fails to use my agent. Issuing gpg --list-secret-keys --verbose prints the following to the console:

gpg --list-secret-keys --verbose
gpg: using pgp trust model
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
gpg: no running gpg-agent - starting '/usr/bin/gpg-agent'
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
gpg: waiting for the agent to come up ... (5s)
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
getsockopt SO_ERROR failed
connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed.
gpg: waiting for the agent to come up ... (4s)
gpg: waiting for the agent to come up ... (3s)
gpg: waiting for the agent to come up ... (2s)
gpg: waiting for the agent to come up ... (1s)
gpg: can't connect to the agent: End of file

What is missing to tie the knot on both ends without having to resort to 3rd party tools like @rupor-github 's agent-gui? The remote gpg version is 2.2.19, is that the issue? Must that also be 2.3.9+?

Tue, Jan 31, 10:35 AM · Not A Bug, workaround, gnupg24, Windows, ssh

Tue, Jan 24

werner added a comment to T6212: The ssh keys are no longer returned in the order from control file after T5996.

Let's first collect all keys, assign a priority, sort, and only then send them back to ssh.

Tue, Jan 24, 10:06 AM · gnupg24, ssh, Feature Request

Thu, Jan 19

werner updated the task description for T2760: Populate comment field when exporting authentication key for SSH.
Thu, Jan 19, 4:50 PM · gnupg24, ssh, Feature Request
werner removed a project from T5995: Better prompt with SETKEYDESC: gnupg (gpg23).
Thu, Jan 19, 4:47 PM · gnupg24, ssh, gpgagent, scd
werner removed a project from T6212: The ssh keys are no longer returned in the order from control file after T5996: gnupg (gpg23).
Thu, Jan 19, 4:44 PM · gnupg24, ssh, Feature Request
werner removed a project from T6250: GPG-Agent doesn't work properly with smart cards and ed25519 keys and SSH Agent: gnupg (gpg23).
Thu, Jan 19, 4:44 PM · gnupg24, Documentation, ssh

Dec 22 2022

werner closed T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent as Resolved.
Dec 22 2022, 10:34 AM · Not A Bug, workaround, gnupg24, Windows, ssh
mfilippov added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Thanks all. It is a bug in Win32 OpenSSH. https://github.com/PowerShell/Win32-OpenSSH/issues/1953 it is already fixed. I think the issue will be resolved after the update is shipped. I could use ssh -T git@github.com as a workaround.

Dec 22 2022, 10:05 AM · Not A Bug, workaround, gnupg24, Windows, ssh
gniibe added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Well, not our bug... it's a kind of support question and answer:
This might help: https://stackoverflow.com/questions/3844393/what-to-do-about-pty-allocation-request-failed-on-channel-0

Dec 22 2022, 1:00 AM · Not A Bug, workaround, gnupg24, Windows, ssh

Dec 21 2022

werner added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

This does not look like a problem in GnuPG/gpg4win because gnupg implements the ssh-agent protocol and not the ssh server or client functionality. ssh tells sshd whether it shall allocate a PTY (Pseudo TTY). I don't use ssh with github but it is likely that you may only run commands (which don't require a PTY). Usually you would invoke a "git" command cia ssh.

Dec 21 2022, 12:10 PM · Not A Bug, workaround, gnupg24, Windows, ssh
mfilippov added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Authentication succeed if I pressed enter after:PTY allocation request failed on channel 0

Dec 21 2022, 10:58 AM · Not A Bug, workaround, gnupg24, Windows, ssh
mfilippov added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

I try WinGPG 4.1.0, and I receive an error:
ssh git@github.com
PTY allocation request failed on channel 0

Dec 21 2022, 10:53 AM · Not A Bug, workaround, gnupg24, Windows, ssh

Nov 25 2022

gniibe added a comment to T5931: OpenSSH 8.9, 9.0, and 9.1 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required).

Implications are... you won't be possible to use new protocols introduced by newer OpenSSH:

Nov 25 2022, 12:54 AM · gnupg24, workaround, Documentation, gnupg (gpg23), ssh, gpgagent

Nov 24 2022

amalon added a comment to T5931: OpenSSH 8.9, 9.0, and 9.1 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required).

Thanks. Adding 'PubkeyAuthentication unbound' to my ~/.ssh/config seems to workaround it for me on openssh-9.1p1-3 (arch). I don't quite follow what the implications of that setting are though.

Nov 24 2022, 9:01 PM · gnupg24, workaround, Documentation, gnupg (gpg23), ssh, gpgagent
gniibe renamed T5931: OpenSSH 8.9, 9.0, and 9.1 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required) from OpenSSH 8.9 and 9.0 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required) to OpenSSH 8.9, 9.0, and 9.1 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required).
Nov 24 2022, 2:38 AM · gnupg24, workaround, Documentation, gnupg (gpg23), ssh, gpgagent
gniibe added a comment to T5931: OpenSSH 8.9, 9.0, and 9.1 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required).

In my cases (tested with 9.1), here are the length of data to be signed by ssh-agent (emulation by gpg-agent).

  • 164 bytes: Both features disabled by: ssh -o KexAlgorithms=-sntrup761x25519-sha512@openssh.com -o PubkeyAuthentication=unbound
  • 192 bytes: Unbound only by: ssh -o PubkeyAuthentication=unbound
  • 298 bytes: No Post Quantum only by: ssh -o KexAlgorithms=-sntrup761x25519-sha512@openssh.com
  • 330 bytes: Both features enabled (no options)
Nov 24 2022, 2:22 AM · gnupg24, workaround, Documentation, gnupg (gpg23), ssh, gpgagent

Nov 22 2022

gniibe added a comment to T5931: OpenSSH 8.9, 9.0, and 9.1 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required).

I tested with openssh 9.1. When I add -o PubkeyAuthentication=unbound, I can make the length of data smaller.

Nov 22 2022, 8:12 AM · gnupg24, workaround, Documentation, gnupg (gpg23), ssh, gpgagent

Nov 9 2022

amalon added a comment to T5931: OpenSSH 8.9, 9.0, and 9.1 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required).
In T5931#165009, @alexk wrote:

A workaround you can add the following line to ~/.ssh/config or /etc/ssh/ssh_config:

KexAlgorithms -sntrup761x25519-sha512@openssh.com

For me ssh -o KexAlgorithms=-sntrup761x25519-sha512@openssh.com ... does work as well.

Nov 9 2022, 7:40 PM · gnupg24, workaround, Documentation, gnupg (gpg23), ssh, gpgagent
alexk added a project to T5931: OpenSSH 8.9, 9.0, and 9.1 can't authenticate with gpg-agent and usb token (Gnuk >= 1.2.16 is required): workaround.

A workaround you can add the following line to ~/.ssh/config or /etc/ssh/ssh_config:

Nov 9 2022, 10:51 AM · gnupg24, workaround, Documentation, gnupg (gpg23), ssh, gpgagent

Nov 1 2022

gniibe edited projects for T6250: GPG-Agent doesn't work properly with smart cards and ed25519 keys and SSH Agent, added: Documentation; removed Bug Report.

The problem here is how large the data to be signed is. It is an issue of protocol design. The protocols are explained in openssh/PROTOCOL.certkeys and openssh/PROTOCOL. Unfortunately, it seems that it was designed with not much consideration for smartcard use case, so, data to be signed may be longer (than the capability of smartcard).

Nov 1 2022, 12:59 AM · gnupg24, Documentation, ssh

Oct 31 2022

alca7raz added a comment to T6250: GPG-Agent doesn't work properly with smart cards and ed25519 keys and SSH Agent.

Sadly, it doesn't work for me. But thank you.

Oct 31 2022, 11:31 AM · gnupg24, Documentation, ssh
gniibe added a comment to T6250: GPG-Agent doesn't work properly with smart cards and ed25519 keys and SSH Agent.

I managed to find a way to minimize the data (less than the one on Oct 25).
And it somehow works for me.

Oct 31 2022, 7:52 AM · gnupg24, Documentation, ssh

Oct 30 2022

alca7raz added a comment to T6250: GPG-Agent doesn't work properly with smart cards and ed25519 keys and SSH Agent.

So what should I do now? Should I report it to OpenSSH team?

Oct 30 2022, 5:03 PM · gnupg24, Documentation, ssh

Oct 28 2022

werner updated subscribers of T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.
Oct 28 2022, 3:56 PM · Not A Bug, workaround, gnupg24, Windows, ssh
werner added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Will go into 2.3.9 and gpg4win 4.0.5

Oct 28 2022, 3:56 PM · Not A Bug, workaround, gnupg24, Windows, ssh

Oct 27 2022

werner triaged T6250: GPG-Agent doesn't work properly with smart cards and ed25519 keys and SSH Agent as Normal priority.
Oct 27 2022, 8:27 AM · gnupg24, Documentation, ssh

Oct 26 2022

gniibe changed the status of T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent from Open to Testing.
Oct 26 2022, 9:24 AM · Not A Bug, workaround, gnupg24, Windows, ssh

Oct 14 2022

gniibe added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Pushed to master.

Oct 14 2022, 7:03 AM · Not A Bug, workaround, gnupg24, Windows, ssh

Sep 19 2022

werner triaged T6212: The ssh keys are no longer returned in the order from control file after T5996 as Normal priority.

We want to get rid of sshcontrol but we could keep it as an optional configuration to sort keys. I won't say it is a bug, though.

Sep 19 2022, 8:19 PM · gnupg24, ssh, Feature Request
chyen added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

I hacked configure.ac of gnupg to force it build with libgpg-error 1.45, and OpenSSH works with the created pipe. Maybe the libgpg-error fix is only necessary in some certain circumstances?

Sep 19 2022, 5:22 AM · Not A Bug, workaround, gnupg24, Windows, ssh

Sep 7 2022

gniibe added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

It's not yet pushed, because it requires new release of libgpg-error (for T6112: libgpg-error,w32: bidirectional Pipe support for estream).

Sep 7 2022, 1:56 AM · Not A Bug, workaround, gnupg24, Windows, ssh

Sep 6 2022

aheinecke added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

I was looking for this when writing the update NEWS for the latest release and noticed that this has not been pushed yet. I really think that it would be nice to have that. Especially for Smartcard use cases.

Sep 6 2022, 11:53 AM · Not A Bug, workaround, gnupg24, Windows, ssh

Aug 26 2022

gniibe closed T5984: gpg-agent interaction improvement (smartcard improvement #3) as Resolved.
Aug 26 2022, 7:28 AM · ssh, gpgagent, scd
gniibe removed a parent task for T5995: Better prompt with SETKEYDESC: T5984: gpg-agent interaction improvement (smartcard improvement #3).
Aug 26 2022, 7:28 AM · gnupg24, ssh, gpgagent, scd
gniibe removed a subtask for T5984: gpg-agent interaction improvement (smartcard improvement #3): T5995: Better prompt with SETKEYDESC.
Aug 26 2022, 7:28 AM · ssh, gpgagent, scd

Aug 24 2022

werner closed T5935: scd: SSH emulation of gpg-agent doesn't work well with sntrup761x25519-sha512@openssh.com as Resolved.
Aug 24 2022, 5:28 PM · workaround, gnupg (gpg23), ssh, Bug Report, scd

Aug 19 2022

chyen added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Probably, PIPE_REJECT_REMOTE_CLIENTS mode and lpSecurityAttributes=NULL is OK.

Aug 19 2022, 7:57 AM · Not A Bug, workaround, gnupg24, Windows, ssh

Aug 15 2022

Saklad5 added a comment to T4260: export all valid authentication subkeys in --export-ssh-key.

Any progress on this?

Aug 15 2022, 4:11 PM · ssh, Feature Request

Jul 28 2022

gniibe added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Probably, PIPE_REJECT_REMOTE_CLIENTS mode and lpSecurityAttributes=NULL is OK.

Jul 28 2022, 9:00 AM · Not A Bug, workaround, gnupg24, Windows, ssh
gniibe added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Here is the parser output:

$ python3 sd.py --type=pipe "D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)"
D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)
    Discretionary ACL: P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)
        Flags: P: SE_DACL_PROTECTED (Blocks inheritance of parent's ACEs)
Jul 28 2022, 8:39 AM · Not A Bug, workaround, gnupg24, Windows, ssh
gniibe added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

I think that the last argument of CreateNamedPipeA can limit the access to the named pipe.

Jul 28 2022, 8:20 AM · Not A Bug, workaround, gnupg24, Windows, ssh
gniibe added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Here is a patch to implement the functionality with --enable-win32-openssh-support.

Jul 28 2022, 6:30 AM · Not A Bug, workaround, gnupg24, Windows, ssh

Jul 18 2022

kmhuntly closed T6074: gpg v2.3.6 doesnt work with ssh as Resolved.

as of 2.3.7 (which I just updated to) this works. ticket can be closed

Jul 18 2022, 12:48 PM · Info Needed, gnupg (gpg23), ssh, Bug Report
gniibe added projects to T6074: gpg v2.3.6 doesnt work with ssh: ssh, gnupg (gpg23), Info Needed.

Please give us more information.

  • Do you change SSH program?
  • Do you mean, reinstalling gpg 2.3.4 fixes your issue?
  • Are you using with smartcard/token? Which one (Yubikey/Zeitcontrol/Gnuk), if it's the case?
Jul 18 2022, 10:31 AM · Info Needed, gnupg (gpg23), ssh, Bug Report

Jul 12 2022

gniibe added a project to T5935: scd: SSH emulation of gpg-agent doesn't work well with sntrup761x25519-sha512@openssh.com: backport.

I'm going to backport this to 2.2, as it found useful.

Jul 12 2022, 9:09 AM · workaround, gnupg (gpg23), ssh, Bug Report, scd