sshProject
ActivePublic

Members

  • This project does not have any members.

Recent Activity

Sat, Sep 26

werner claimed T5084: Using GPGWin 3.1.13, Putty fails to load the private key from a YubiKey.

That code in gnupg has not been touched in a very long time so this may be caused by some side effect.

Sat, Sep 26, 2:29 PM · ssh, gnupg (gpg22), Bug Report, gpg4win

Fri, Sep 11

gniibe added a project to T5041: gpg-agent/scdaemon/gnuk unable to sign ssh certificate (Couldn't certify key … via agent: agent refused operation): Testing.
Fri, Sep 11, 2:20 AM · Testing, ssh, Bug Report
gniibe changed the status of T5041: gpg-agent/scdaemon/gnuk unable to sign ssh certificate (Couldn't certify key … via agent: agent refused operation) from Open to Testing.

Fixed in Gnuk 1.2.16, although it still has a limitation by the I/O buffer size.

Fri, Sep 11, 2:19 AM · Testing, ssh, Bug Report

Fri, Sep 4

bvieira added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

So, if there's no support for native OpenSSH yet, I'll wait for it. After it's supported, I should be able to get the scenery I described working, right?

Fri, Sep 4, 1:52 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request
werner added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Unfortunately you can't pass extra arguments.

Fri, Sep 4, 7:47 AM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request
gniibe added a comment to T5041: gpg-agent/scdaemon/gnuk unable to sign ssh certificate (Couldn't certify key … via agent: agent refused operation).

Thanks for your information. No debug output any more, as I already figured out things.

Fri, Sep 4, 1:53 AM · Testing, ssh, Bug Report

Thu, Sep 3

ccx added a comment to T5041: gpg-agent/scdaemon/gnuk unable to sign ssh certificate (Couldn't certify key … via agent: agent refused operation).

In case of Ed25519 certificate signed by Ed25519 key with only few names and flags it seems to be just below 500 bytes. This could of course grow if names are added or larger public key is being signed.

Thu, Sep 3, 5:14 PM · Testing, ssh, Bug Report
gpguser123 added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

@bvieira You need to set pinentry-mode=loopback for gpg program used in git.

Thu, Sep 3, 4:22 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request
gniibe added a comment to T5041: gpg-agent/scdaemon/gnuk unable to sign ssh certificate (Couldn't certify key … via agent: agent refused operation).

Well, from the viewpoint of card specification, "a message M of arbitrary size" for Ed25519/Ed448 in RFC8032 is not good, because card has a limit for buffer size and the protocol in the OpenPGP card specification requires the steps of (1) the message M is buffered and then (2) the compute the signature.

Thu, Sep 3, 3:15 AM · Testing, ssh, Bug Report

Wed, Sep 2

bvieira added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

I'm actually trying to do the following:

Wed, Sep 2, 2:10 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request
avemilia added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

In the meantime you can use [0]. I have tested with ssh key on yubikey and AuthenticationMethods publickey, win32-ssh (or ssh-portable, which is the new repository name) correctly works with gpg and pinentry is called.

Wed, Sep 2, 1:59 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request
gniibe claimed T5041: gpg-agent/scdaemon/gnuk unable to sign ssh certificate (Couldn't certify key … via agent: agent refused operation).
Wed, Sep 2, 5:42 AM · Testing, ssh, Bug Report
gniibe added a comment to T5041: gpg-agent/scdaemon/gnuk unable to sign ssh certificate (Couldn't certify key … via agent: agent refused operation).

I just confirmed that Gnuk has a limitation for the input length is less than or equals to 256.
So, this is the issue of Gnuk, not GnuPG.

Wed, Sep 2, 5:40 AM · Testing, ssh, Bug Report
gniibe added a comment to T5041: gpg-agent/scdaemon/gnuk unable to sign ssh certificate (Couldn't certify key … via agent: agent refused operation).

Please show us concrete example of debug output by scdaemon, when you run ssh-keygen.
You can have a setup in .gnupg/scdaemon.conf like:

Wed, Sep 2, 5:11 AM · Testing, ssh, Bug Report

Tue, Sep 1

ccx updated the task description for T5041: gpg-agent/scdaemon/gnuk unable to sign ssh certificate (Couldn't certify key … via agent: agent refused operation).
Tue, Sep 1, 4:24 PM · Testing, ssh, Bug Report
ccx added a comment to T5041: gpg-agent/scdaemon/gnuk unable to sign ssh certificate (Couldn't certify key … via agent: agent refused operation).

I've meant scdaemon rather than OpenSC. I'll correct the descritpion.

Tue, Sep 1, 4:23 PM · Testing, ssh, Bug Report
werner added a project to T5041: gpg-agent/scdaemon/gnuk unable to sign ssh certificate (Couldn't certify key … via agent: agent refused operation): ssh.

gpg-agent has only very limited support for ssh certificates which is the reason that your command fails.

Tue, Sep 1, 2:47 PM · Testing, ssh, Bug Report

Jul 20 2020

bvieira added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Any news on this?

Jul 20 2020, 12:48 AM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request

Jul 14 2020

werner closed T4979: enable-ssh-support in windows is broken. as Invalid.
Jul 14 2020, 10:32 AM · ssh, Duplicate, Bug Report

Dec 12 2019

werner added a project to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent: gnupg (gpg23).
Dec 12 2019, 1:08 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request
werner claimed T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.
Dec 12 2019, 1:07 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request
werner added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

Although I don't use the ssh client on Windows I had to integrate the Windows ssh server into our release process (GlobalSign sent us a Windows-only token, for the new cert and so we can't anymore use osslsigncode). The ssh server is really stable and so it makes a lot of sense to better integrate our ssh-agent into Windows.

Dec 12 2019, 1:07 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request

Oct 14 2019

npreining added a comment to T2760: Populate comment field when exporting authentication key for SSH.

@werner Yes, that sounds great, and would help already a lot, but extending it for card keys would be optimal. Thanks for your work.

Oct 14 2019, 12:58 PM · ssh, gnupg (gpg23), Feature Request
werner edited projects for T2760: Populate comment field when exporting authentication key for SSH, added: gnupg (gpg23), ssh; removed gnupg.

In master (to be 2.3) you can add a Label: line into the sub key file of on-disk keys. I use this for quite some time now to show me alabel for my on-disk ssh keys so that I known which one was requested. We can and should extend this to card keys.

Oct 14 2019, 9:28 AM · ssh, gnupg (gpg23), Feature Request

May 21 2019

werner closed T4502: keys added via gpg-agent's ssh-agent interface are stored in private-keys-v1.d/ with a trailing null byte as Resolved.

Also fixed for 2.2

May 21 2019, 9:16 AM · gpgagent, ssh
werner added a commit to T4502: keys added via gpg-agent's ssh-agent interface are stored in private-keys-v1.d/ with a trailing null byte: rG6e39541f4f48: agent: For SSH key, don't put NUL-byte at the end..
May 21 2019, 9:16 AM · gpgagent, ssh
gniibe added a commit to T4502: keys added via gpg-agent's ssh-agent interface are stored in private-keys-v1.d/ with a trailing null byte: rG479f7bf31ce4: agent: For SSH key, don't put NUL-byte at the end..
May 21 2019, 8:54 AM · gpgagent, ssh
gniibe claimed T4502: keys added via gpg-agent's ssh-agent interface are stored in private-keys-v1.d/ with a trailing null byte.

I located the bug in agent/command-ssh.c.
Our practice is two calls of gcry_sexp_sprint; One to determine the length including last NUL byte, and another to actually fills the buffer.
The first call return +1 for NUL byte.
The second call fills NUL at the end, but returns +0 length (length sans last NUL).

May 21 2019, 8:48 AM · gpgagent, ssh

May 15 2019

werner closed T4490: --export-secret-keys fails with unusually-created secret key as Resolved.

Applied to master and 2.2. Thanks.

May 15 2019, 9:04 AM · ssh, gnupg (gpg22)
werner added a commit to T4490: --export-secret-keys fails with unusually-created secret key: rG9c704d9d4633: gpg: enable OpenPGP export of cleartext keys with comments.
May 15 2019, 9:03 AM · ssh, gnupg (gpg22)
werner added a commit to T4490: --export-secret-keys fails with unusually-created secret key: rG392e59a3d487: gpg: enable OpenPGP export of cleartext keys with comments.
May 15 2019, 9:03 AM · ssh, gnupg (gpg22)

May 14 2019

werner raised the priority of T4490: --export-secret-keys fails with unusually-created secret key from Normal to High.
May 14 2019, 4:39 PM · ssh, gnupg (gpg22)
dkg added a comment to T4490: --export-secret-keys fails with unusually-created secret key.

I think this patch should be backported to STABLE-BRANCH-2-2

May 14 2019, 6:35 AM · ssh, gnupg (gpg22)
dkg added a comment to T4490: --export-secret-keys fails with unusually-created secret key.

I've just pushed 29adca88f5f6425f5311c27bb839718a4956ec3a to the dkg/fix-T4490 branch, which i believe fixes this issue.

May 14 2019, 3:43 AM · ssh, gnupg (gpg22)
dkg added a comment to T4490: --export-secret-keys fails with unusually-created secret key.

And, i just discovered that when i manually edit the key to remove the (comment) list from the *.key S-expression file, the final --export-secret-key works fine. so the failure appears to be due to the presence of the (comment) clause. (same as in T4501)

May 14 2019, 1:48 AM · ssh, gnupg (gpg22)

May 12 2019

werner triaged T4502: keys added via gpg-agent's ssh-agent interface are stored in private-keys-v1.d/ with a trailing null byte as Normal priority.

I often put an extra nul byte at the end of binary data so that accidental printing the data (e.g. in gdb) assures that there is a string terminator. But right, it should not go out to a file.

May 12 2019, 8:16 PM · gpgagent, ssh
dkg created T4502: keys added via gpg-agent's ssh-agent interface are stored in private-keys-v1.d/ with a trailing null byte.
May 12 2019, 12:37 AM · gpgagent, ssh

May 10 2019

dkg added a comment to T4490: --export-secret-keys fails with unusually-created secret key.

I was trying to use the above technique to be able to generate an OpenPGP transferable secret key in an ephemeral homedir. Ephemeral directories are recommended in the GnuPG info page's "unattended usage" section, but they do not work here.

May 10 2019, 10:45 PM · ssh, gnupg (gpg22)
werner triaged T4490: --export-secret-keys fails with unusually-created secret key as Normal priority.
May 10 2019, 10:20 AM · ssh, gnupg (gpg22)

Mar 5 2019

werner closed T4387: Export ssh key fails (brainpoolP256r1) as Resolved.

ssh does nut support brainpool curves and thus GnuPG does not know how to map its internal name of the curve to the name as specified by ssh. GnuPG supports these curves:

Mar 5 2019, 8:23 AM · ssh, Not A Bug

Dec 13 2018

gniibe closed T3880: gpg-agent's ssh-agent does not handle flags in signing requests properly as Resolved.
Dec 13 2018, 3:42 PM · ssh, gpgagent, Bug Report

Nov 16 2018

anarcat created T4261: create matching --import-ssh-key in the S1 Public space.
Nov 16 2018, 6:38 PM · ssh
werner triaged T4260: export all valid authentication subkeys in --export-ssh-key as Low priority.
Nov 16 2018, 9:11 AM · ssh, Feature Request

Oct 29 2018

werner triaged T4167: Pinentry prompt is confusing with regards to multiple smartcards when gpg-agent is used as ssh-agent as Normal priority.
Oct 29 2018, 9:46 AM · Feature Request, ssh, gpgagent
werner added a comment to T4167: Pinentry prompt is confusing with regards to multiple smartcards when gpg-agent is used as ssh-agent.

We had this idea to have a label: or similar item in the extended-key-format which is displayed in addition to the other info. The user can then use an editor to put whatever she likes into this field.

Oct 29 2018, 9:46 AM · Feature Request, ssh, gpgagent

Oct 19 2018

gniibe added a comment to T4167: Pinentry prompt is confusing with regards to multiple smartcards when gpg-agent is used as ssh-agent.

there should be clearer labelling of smartcards so that users can tell them apart more easily

Oct 19 2018, 6:17 AM · Feature Request, ssh, gpgagent

Oct 5 2018

werner added projects to T4167: Pinentry prompt is confusing with regards to multiple smartcards when gpg-agent is used as ssh-agent: gpgagent, ssh.
Oct 5 2018, 9:44 AM · Feature Request, ssh, gpgagent

May 16 2018

ccharabaruk added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

@werner I was hoping to make a modified gpg-agent build that would let me walk through what's going on after the nonce is sent but it looks like the gpg4win process only takes in a package of pre-built gpg binaries which rules that out. As far as I can figure out, after the nonce is read and accepted, libassuan creates a stream object out of the socket and then finding nothing in the stream terminates the ssh handler. We send the actual client request immediately after the nonce but in a separate call to send() so I now wonder if by not having anything read in at the same time as the nonce gpg-agent or libassuan thinks that it's a 0-length stream.

May 16 2018, 6:54 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request

Apr 21 2018

ccharabaruk added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

I just took a look through assuan-socket.c and it appears that we just need to send the nonce and don't need to read anything back. We also found a bug on our side that was preventing the nonce from being sent, which has been fixed. The error message logged above no longer happens.

Apr 21 2018, 9:16 PM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request
werner added a comment to T3883: Add Win32-OpenSSH support to gpg-agent's ssh-agent.

The nonce is a string of octets thus it needs to be passed verbatim. I would need to study the code in libassun/src/assuan-socket.c to tell more.

Apr 21 2018, 12:11 AM · gnupg (gpg23), Windows, ssh, gpgagent, Feature Request