FS#40552 : [gnupg] can't add ECDSA ssh key to gpg-agent

FS#40552 - [gnupg] can't add ECDSA ssh key to gpg-agent

Attached to Project: Arch Linux
Opened by viq (viq) - Sunday, 25 May 2014, 21:14 GMT
Last edited by Gaetan Bisson (vesath) - Monday, 23 June 2014, 17:14 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Gaetan Bisson (vesath)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 Anatol Pomozov (anatolik) (2014-06-21) zless (roentgen) (2014-05-26)
Private	No

Details

Description:
I'm trying to make gpg-agent work as ssh-agent as well, and while it adds rsa keys just fine, it refuses to add an ecdsa key despite wiki claiming it should https://wiki.archlinux.org/index.php/Ssh_keys#GnuPG_Agent

I'm using gnome, but I made sure that keyring is disabled for ssh and gpg:
$ env | egrep '(SSH|GPG)'
SSH_AGENT_PID=863
GPG_AGENT_INFO=/tmp/gpg-SFziBP/S.gpg-agent:863:1
SSH_AUTH_SOCK=/tmp/gpg-yLa85e/S.gpg-agent.ssh
SSH_ASKPASS=/usr/lib/ssh/x11-ssh-askpass

Additional info:
* package version(s) - gnupg 2.0.22-2
* config files:

$ cat .gnupg/gpg.conf | grep -v ^# | grep -v ^$
require-cross-certification
keyserver hkp://keys.gnupg.net
use-agent

$ cat .gnupg/gpg-agent.conf
enable-ssh-support

# Cache settings
default-cache-ttl 10800
default-cache-ttl-ssh 10800

# Environment file
write-env-file /home/viq/.gnupg/gpg-agent.env

# Keyboard control
#no-grab

# PIN entry program
pinentry-program /usr/bin/pinentry-curses
#pinentry-program /usr/bin/pinentry-qt4
#pinentry-program /usr/bin/pinentry-kwallet
#pinentry-program /usr/bin/pinentry-gtk-2

$ cat /etc/profile.d/gpg-agent.sh
if [ $EUID -ne 0 ] ; then
envfile="$HOME/.gnupg/gpg-agent.env"
logfile="$HOME/.gnupg/gpg-agent.log"
if [[ -e "$envfile" ]] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
eval "$(cat "$envfile")"
else
eval "$(gpg-agent --daemon --verbose --enable-ssh-support --write-env-file "$envfile" --log-file "$logfile")"
fi
export GPG_AGENT_INFO # the env file does not contain the export statement
export SSH_AUTH_SOCK # enable gpg-agent for ssh
fi

Steps to reproduce:
$ ssh-keygen -t ecdsa -b 521
$ ssh-add .ssh/id_ecdsa
Enter passphrase for .ssh/id_ecdsa:
SSH_AGENT_FAILURE
Could not add identity: .ssh/id_ecdsa

This task depends upon

Closed by Gaetan Bisson (vesath)
Monday, 23 June 2014, 17:14 GMT
Reason for closing: Fixed
Additional comments about closing: gnupg-2.0.23-2 in [testing]

Comment by Gaetan Bisson (vesath) - Sunday, 25 May 2014, 22:28 GMT

I believe handling ECDSA keys with gpg-agent is not yet supported by a stable GnuPG release.

Comment by viq (viq) - Sunday, 25 May 2014, 22:33 GMT

Arch wiki and gnupg changelogs claim it is, and someone on #gnupg on FreeNode was able to do it with 2.0.22

Comment by Gaetan Bisson (vesath) - Monday, 26 May 2014, 00:04 GMT

Hum. You are right. This should work. However I've never used agents much. I can reproduce your issue here, but any further insight is welcome.

Comment by Gaetan Bisson (vesath) - Monday, 26 May 2014, 00:19 GMT

Did this ever used to work? Could you perhaps try to see if downgrading libgcrypt helps?

Comment by viq (viq) - Monday, 26 May 2014, 21:04 GMT

I didn't really try it before, so can't say. I wasn't really able yet to downgrade libgcrypt further than 1.6.0-1 and there it still didn't work.

Comment by Gaetan Bisson (vesath) - Friday, 06 June 2014, 11:39 GMT

Is this fixed with 2.0.23; if not, is Arch the only platform where this fails?

Comment by viq (viq) - Tuesday, 10 June 2014, 06:13 GMT

It still fails. I didn't really have a chance to test on other platforms, I'll try but can't say how long it'll take me.

Comment by Gaetan Bisson (vesath) - Tuesday, 10 June 2014, 09:43 GMT

Thanks. It would be really helpful to know if this is an upstream issue or if we are doing something wrong in Arch.

Comment by zless (roentgen) - Tuesday, 10 June 2014, 20:53 GMT

For the record I did try to add ECDSA keys too more than half an year a go and it didn't work back then either.

I think back then it was at version 2.0.22.

Comment by Celti Burroughs (Celti) - Thursday, 19 June 2014, 23:35 GMT

ECDSA keys (and in fact all ECC) in gpg-agent broke with libgcrypt 1.6.0 and was only recently (April, I believe) fixed in gnupg git. It's an upstream issue and not an Arch issue, but I'm afraid I don't have specific commits or bug reports to point to.

Comment by Anatol Pomozov (anatolik) - Thursday, 19 June 2014, 23:38 GMT

I see this problem as well.

According to mail thread "gpg-agent: SSH_AGENT_FAILURE when adding an ECDSA key" in arch-general, the recent libgcrypt 1.6+ update broke ECDSA in gpg-agent. One also claims that gnupg master branch has a fix, but looking through the git log [1] I can find any obvious commit.

[1] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=summary

Comment by Anatol Pomozov (anatolik) - Thursday, 19 June 2014, 23:41 GMT

This one? http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=21dab64030c95a909767bf6d8f99e8476f9df8a2

Comment by Anatol Pomozov (anatolik) - Saturday, 21 June 2014, 06:34 GMT

I looked at list of API changes for libgcrypt 1.6.0 http://upstream-tracker.org/changelogs/libgcrypt/1.6.0/changelog.html and see "The algorithm ids GCRY_PK_ECDSA and GCRY_PK_ECDH are now deprecated. Use GCRY_PK_ECC if you need an algorithm id.".

The libgcrypt functions such as gcry_pk_map_name() return GCRY_PK_ECC instead of GCRY_PK_ECDSA. So I modified gnupg 2.0.23 sources with this patch:

diff --git a/common/ssh-utils.c b/common/ssh-utils.c
index d8f057d..987966f 100644
--- a/common/ssh-utils.c
+++ b/common/ssh-utils.c
@@ -89,7 +89,7 @@ get_fingerprint (gcry_sexp_t key, void **r_fpr, size_t *r_len,
elems = "pqgy";
gcry_md_write (md, "\0\0\0\x07ssh-dss", 11);
break;
- case GCRY_PK_ECDSA:
+ case GCRY_PK_ECC:
/* We only support the 3 standard curves for now. It is just a
quick hack. */
elems = "q";

Now I am able to add a ECDSA via ssh-add:

[anatol@argo gnupg]$ ps ax | grep agent
8921 ? Ss 0:00 gpg-agent --daemon --enable-ssh-support
[anatol@argo gnupg]$ echo $SSH_AUTH_SOCK
/tmp/gpg-MQPevx/S.gpg-agent.ssh
[anatol@argo gnupg]$ echo $SSH_AGENT_PID
8921
[anatol@argo gnupg]$ ssh-add -l
2048 f4:a7:bd:43:fc:aa:ab:f2:f2:ff:6b:f3:9b:37:96:be /home/anatol/.ssh/id_rsa (RSA)
521 87:e8:e1:f6:1b:64:aa:58:ff:97:1a:20:5d:91:46:d7 /home/anatol/.ssh/id_ecdsa (ECDSA)

I do not know if this 1-line change is enough to fix all the libgcrypt 1.6 problems - I still wait any reply from gnupg developers. But at least I can 'ssh' into my machine without typing the passphrase.

Comment by Anatol Pomozov (anatolik) - Monday, 23 June 2014, 14:22 GMT

My patch has been applied to gnupg stable branch, sha=ceef5568d53b286efe639c6fd1d37f154be133ef. Gaetan, don't you mind to reassign this ticket to me and I create/test gnupg 2.0.23-2 with this fix?

Comment by Gaetan Bisson (vesath) - Monday, 23 June 2014, 16:48 GMT

Thanks Anatol, but I'm happy to do it too; I just wanted to see how upstream would react to your patch.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#40552 - [gnupg] can't add ECDSA ssh key to gpg-agent

Details

Loading...