sshd authentication problem with gpg-agent and OpenPGP card

Joerg Schmitz-Linneweber joerg at schmitz-linneweber.de
Tue Dec 5 10:15:16 CET 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all!

I recently found a problem when using OpenPGP cards with gpg-agent in
combination with ssh/sshd.
Technical details follows:

- --- snip -----------------------
> gpg-agent --version
gpg-agent (GnuPG) 2.0.0
- --- snip -----------------------
> rpm -qf `which ssh-add`
openssh-3.9p1-12.10
- --- snip -----------------------
> ssh-add -l
1024 fingerprint_in_hex cardno:my_card_no (RSA)
1024 fingerprint_in_hex ~/id_dsa (DSA)
1024 fingerprint_in_hex ~/other_id_dsa (DSA)
1024 fingerprint_in_hex ~/other2_id_dsa (DSA)
- --- snip -----------------------
(on the remote machine)
# rpm -qf `which sshd`
openssh-3.9p1-12.10
- --- snip -----------------------

OK. Connecting to the remote via:
> ssh -vvvvi ~/.ssh/id_dsa remote_host
works perfectly (no card involved)
but:
> ssh -vvvv remote_host
tries to use the card and results in:

- --- snip -----------------------
debug2: key: cardno:my_card (0x8095498)
debug2: key: ~/.ssh/id_dsa (0x80999b0)
debug2: key: ~/.ssh/other_id_dsa (0x8098d98)
debug2: key: ~/.ssh/other2_id_dsa (0x8098d98)
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: cardno:my_card_no
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
Connection closed by remote_host
- --- snip -----------------------

and the log on the remote machine explains this abrupt connection loss:

- --- snip -----------------------
Dec  5 09:47:19 floyd sshd[4666]: fatal: buffer_get_bignum2: negative
numbers not supported
Dec  5 09:55:13 floyd sshd[4893]: fatal: buffer_get_bignum2: negative
numbers not supported
- --- snip -----------------------

The last snippet shows whats going on in gpg-agent:

- --- snip -----------------------
[client at fd 4 connected]
  4 - 2006-12-05 10:10:37 gpg-agent[10191]: SSH-Handhabungsroutine
0x80858b8 für fd 7 gestartet
  4 - 2006-12-05 10:10:37 gpg-agent[10191]: ssh request handler for
request_identities (11) started
  4 - 2006-12-05 10:10:37 gpg-agent[10191]: new connection to SCdaemon
established (reusing)
[client at fd 5 connected]
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR $AUTHKEYID
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S $AUTHKEYID OPENPGP.3
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR SERIALNO
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S SERIALNO
my_serial_info
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- READKEY OPENPGP.3
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> [
xx xx...(all bytes skipped) ]
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR $DISPSERIALNO
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S $DISPSERIALNO
the_displayable_serialno
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK
  4 - 2006-12-05 10:10:37 gpg-agent[10191]: ssh request handler for
request_identities (11) ready
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- RESTART
  5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK
  4 - 2006-12-05 10:10:37 gpg-agent[10191]: SSH-Handhabungsroutine
0x80858b8 für fd 7 beendet
- --- snip -----------------------

So gpg-agent in conjunction with this ssh version might deliver invalid
data to the waiting ssh daemon. I found nothing particular on the
mentioned bignum package in sshd though... :-(

Anybody knows whats going on with OpenPGP card authentication? Werner? :-)

Salut, Jörg

- --
gpg/pgp key # 0xd7fa4512
fingerprint 4e89 6967 9cb2 f548 a806  7e8b fcf4 2053 d7fa 4512
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFFdTik/PQgU9f6RRIRArT4AJ4wXZaBiR8oZWhlvAcZXSOP8VdUcwCgzbs/
aUdw1ByhBJlE8e3C9KeiGsE=
=JwLw
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list