FS#76245 - GPG-Agent doesn't work properly with smart cards and ed25519 keys and SSH Agent

Attached to Project: Arch Linux
Opened by John Doe (noble.egg7187) - Wednesday, 19 October 2022, 06:16 GMT
Last edited by Toolybird (Toolybird) - Friday, 04 November 2022, 05:36 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture x86_64
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
I was setting up my sshd with certificate authorization. I tried to sign my ed25519 key on my yubikey, but when I tried to log in with this cert, it failed.
It works fine with secp256&384&512 key on smart card and ed25519 key stored locally. I tried on my yubikey 5 and canokey, and they both failed.
I found https://bugs.archlinux.org/task/74423 but it didn't work for me.

Additional info:
* package version(s)
gnupg 2.2.39-1 openssh 9.1p1-1
* config and/or log files etc.
* link to upstream bug report, if any

Steps to reproduce:
1. Set up gpg-agent normally
2. Create a user CA
ssh-keygen -t ed25519 -f user_ca -C user_ca
3. Add CA pubkey to server
sed 's/^/cert-authority /' user_ca.pub >> ~/.ssh/authorized_keys
4. Add a ed25519 A key to a gpg smart card and export its ssh public key to id_ed25519.pub
5. Sign a certificate for the ssh pubkey above
ssh-keygen -s user_ca -I user -n USERNAME id_ed25519.pub
6. Login with the certificate
ssh -i id_ed25519-cert.pub localhost

Then it will show 'sign_and_send_pubkey: signing failed for ED25519 "cardno:xxxxxx": agent refused operation'.
   log.zip (6 KiB)
This task depends upon

Closed by  Toolybird (Toolybird)
Friday, 04 November 2022, 05:36 GMT
Reason for closing:  Upstream
Additional comments about closing:  See comments
Comment by Toolybird (Toolybird) - Wednesday, 19 October 2022, 08:15 GMT
> gnupg 2.2.39-1

Any difference if you update to latest? (2.2.40-1)
Comment by John Doe (noble.egg7187) - Wednesday, 19 October 2022, 11:54 GMT
No. It still doesn't work.
Comment by Toolybird (Toolybird) - Wednesday, 19 October 2022, 23:24 GMT
Ok. There are no other reports about this so there's a strong possibility this is a config problem on your system and/or an upstream issue. Please:

- take it to the proper support channels (forum/IRC/etc) to try and seek some help in debugging the problem
- report it upstream

Please let us know what you find out.
Comment by John Doe (noble.egg7187) - Thursday, 20 October 2022, 04:48 GMT
I have reported it upstream. But it seems they have no interest to fix this. https://dev.gnupg.org/T6250
Comment by zamlz (zamlz) - Friday, 21 October 2022, 23:29 GMT
Hi I can confirm that I have a similar issue.
It's not quite the same, but for years now I have used my yubikey to house my gpg keys and I've them with SSH.
Now it looks like my ssh agent is failing to make the connection.

> no such identity: /home/amlesh/.ssh/id_rsa: No such file or directory

I am now unable to login to my devices.
I'm not sure if this is related to this issue, but it does seem like it.

Comment by zamlz (zamlz) - Saturday, 22 October 2022, 15:34 GMT
Disregard my last statement, I accidentally overwrote my public key with garbage data recently.
I have fixed the issue, therefore I will be removing my vote.
Comment by Toolybird (Toolybird) - Friday, 04 November 2022, 05:36 GMT
There is further detailed info in the linked upstream issue pointing towards a general incompatibility between ed25519 and smartcard usage. Any way you look at it, this doesn't appear to be an Arch packaging bug.

Loading...