SSH authentication using OpenPGP 2.0 smartcard

[Patryk Cisek]

Hi,

I've been successfully using OpenPGP smartcard for signing my Debian
uploads for a while now. Today I wanted to set it up also for SSH
public key authentication.

I'm using:
gnupg-2.0.17
libassuan-2.0.1
libgcrypt-1.4.6
libksba-1.1.0
pinentry-0.8.1
pinentry-qt-0.5.0


All installed into /usr/local. Signing files using gpg2 works excellent.
But when I try:
$ /usr/local/bin/gpg-agent -vv --daemon --enable-ssh-support --scdaemon-program /usr/local/bin/scdaemon
gpg-agent[6534]: listening on socket `/tmp/gpg-sUL53i/S.gpg-agent'
gpg-agent[6534]: listening on socket `/tmp/gpg-x8sB4W/S.gpg-agent.ssh'
GPG_AGENT_INFO=/tmp/gpg-sUL53i/S.gpg-agent:6535:1; export GPG_AGENT_INFO;
SSH_AUTH_SOCK=/tmp/gpg-x8sB4W/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
SSH_AGENT_PID=6535; export SSH_AGENT_PID;
gpg-agent[6535]: gpg-agent (GnuPG) 2.0.17 started
$ GPG_AGENT_INFO=/tmp/gpg-sUL53i/S.gpg-agent:6535:1; export GPG_AGENT_INFO;
$ SSH_AUTH_SOCK=/tmp/gpg-x8sB4W/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
$ SSH_AGENT_PID=6535; export SSH_AGENT_PID;
$ ssh shell.dug.net.pl
gpg-agent[6535]: ssh handler 0x96e9348 for fd 7 started
gpg-agent[6535]: received ssh request of length 1
gpg-agent[6535]: ssh request handler for request_identities (11) started
gpg-agent[6535]: no running SCdaemon - starting it
gpg-agent[6535]: DBG: first connection to SCdaemon established
gpg-agent[6535]: ssh request handler for request_identities (11) ready
gpg-agent[6535]: sending ssh response of length 183
gpg-agent[6535]: received ssh request of length 409
gpg-agent[6535]: ssh request handler for sign_request (13) started
gpg-agent[6535]: DBG: detected card with S/N D27600012401020000050000009E0000
gpg-agent[6535]: starting a new PIN Entry
gpg-agent[6535]: smartcard signing failed: Bad PIN
gpg-agent[6535]: ssh request handler for sign_request (13) ready
gpg-agent[6535]: sending ssh response of length 1
Agent admitted failure to sign using the key.
Password:

I get a pinentry-qt4 propmpt (just as for regular signing). But, as you
can see, gpg-agent says the PIN's been invalid.

At first I tried GnuPG shipped with Debian (gpg 2.0.14, libgcrypt 1.4.6). No
luck, so I compiled newest GnuPG and dependencies (see beginning of this
mail), but still doesn't work.

I'm not sure if key's preferences are important, but I changed them from
the default values to:
gpg> showpref
[ unknown] (1). Patryk Cisek <patryk at prezu.one.pl>
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
[ unknown] (2)  Prezu <pdvd at interia.pl>
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
[ unknown] (3)  Patryk Cisek <patryk at debian.org>
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA1, SHA256, RIPEMD160
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
[ unknown] (4)  Patryk Cisek <patryk at dug.net.pl>
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
[ revoked] (5)  Patryk Cisek <patrykc at plusnet.pl>
     Cipher: 3DES
     Digest: SHA1
     Compression: ZIP, Uncompressed
     Features: Keyserver no-modify
[ unknown] (6)  Patryk Cisek <patryk.cisek at gmail.com>
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA1, SHA256, RIPEMD160
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
[ unknown] (7)  Patryk Cisek <102363 at student.pwr.wroc.pl>
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify