GPG-Agent not recognising SSH keys

Jacques Kotze jacques.kotze at gmail.com
Thu Jan 14 14:48:33 CET 2016 

Hi Peter

Thanks for your comments and help.

Your guide highlighted a silly error where I had accidentally chopped some
of the trailing characters of the appropriate keygrip in sshcontrol (Doh!).
BTW I am using GnuPG 2.1.9

I can now successfully get the response to ssh-add -L as expected. Great!

I do have a problem with this setup still not working as expected i.e. I
have the exported pub key (from ssh-add -L) copied to the external servers
~/.ssh/authorized_keys.. but still being prompted for a user password upon
ssh'ing to the server.

Anything there I am perhaps missing?

Kind regards

Jacques







On 12 January 2016 at 18:37, Peter Lebbing <peter at digitalbrains.com> wrote:

> On 12/01/16 12:58, Jacques Kotze wrote:
> > Hi All,
>
> Hi,
>
> > First time post, so please excuse me if it is a ignorant noob question :)
>
> It's not an ignorant question, and even if it were, that wouldn't be a
> problem :).
>
> > $> unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
> > $> eval $(/usr/local/MacGPG2/bin/gpg-agent --daemon --enable-ssh-support)
>
> Which version of GnuPG are you using, by the way?
>
> > Ok.. so I am stumped. Any help appreciated :)
>
> Did it go something like this?
>
> I'm "quoting" the terminal interaction and writing comments in between.
> You can see I'm using GnuPG 2.1, but I think it should go the same for
> 2.0. There /is/ a difference with regard to the agent configuration,
> though, which is why I ask about your version above.
>
> > $ gpg2 --expert --edit-key DCDFDFA4
> > gpg (GnuPG) 2.1.10; Copyright (C) 2015 Free Software Foundation, Inc.
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.
> >
> > Secret key is available.
> >
> > sec  rsa1024/DCDFDFA4
> >      created: 2012-03-17  expires: 2016-01-13  usage: SC
> >      trust: never         validity: unknown
> > ssb  rsa1024/77A3395A
> >      created: 2012-03-17  expires: never       usage: E
> > [ unknown] (1). Test Teststra (Koning van Wezel) <test at example.invalid>
> > [ unknown] (2)  Test Teststra <test at work.invalid>
>
> This is a testkey. It doesn't have an authentication capable subkey yet,
> so let's add one (for that, we need --expert, hence my use of it).
>
> > gpg> addkey
> > Please select what kind of key you want:
> >    (3) DSA (sign only)
> >    (4) RSA (sign only)
> >    (5) Elgamal (encrypt only)
> >    (6) RSA (encrypt only)
> >    (7) DSA (set your own capabilities)
> >    (8) RSA (set your own capabilities)
> >   (10) ECC (sign only)
> >   (11) ECC (set your own capabilities)
> >   (12) ECC (encrypt only)
> >   (13) Existing key
> > Your selection? 8
> >
> > Possible actions for a RSA key: Sign Encrypt Authenticate
> > Current allowed actions: Sign Encrypt
> >
> >    (S) Toggle the sign capability
> >    (E) Toggle the encrypt capability
> >    (A) Toggle the authenticate capability
> >    (Q) Finished
> >
> > Your selection? =a
>
> I just noticed this possibility in a recent post by Werner to this
> list... I don't know if it's a new 2.1 feature, but instead of first
> toggling S and E, you can prepend an = to your A and presto, the key is
> for A only.
>
> > RSA keys may be between 1024 and 4096 bits long.
> > What keysize do you want? (2048)
> > Requested keysize is 2048 bits
> > Please specify how long the key should be valid.
> >          0 = key does not expire
> >       <n>  = key expires in n days
> >       <n>w = key expires in n weeks
> >       <n>m = key expires in n months
> >       <n>y = key expires in n years
> > Key is valid for? (0)
> > Key does not expire at all
> > Is this correct? (y/N) y
> > Really create? (y/N) y
> > We need to generate a lot of random bytes. It is a good idea to perform
> > some other action (type on the keyboard, move the mouse, utilize the
> > disks) during the prime generation; this gives the random number
> > generator a better chance to gain enough entropy.
> >
> > sec  rsa1024/DCDFDFA4
> >      created: 2012-03-17  expires: 2016-01-13  usage: SC
> >      trust: never         validity: unknown
> > ssb  rsa1024/77A3395A
> >      created: 2012-03-17  expires: never       usage: E
> > ssb  rsa2048/38EF7410
> >      created: 2016-01-12  expires: never       usage: A
> > [ unknown] (1). Test Teststra (Koning van Wezel) <test at example.invalid>
> > [ unknown] (2)  Test Teststra <test at work.invalid>
> >
> > gpg> Save changes? (y/N) y
>
> So now we need the keygrip for this new authentication subkey:
>
> > $ gpg2 --with-keygrip -k DCDFDFA4
> > pub   rsa1024/DCDFDFA4 2012-03-17 [expires: 2016-01-13]
> >       Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A
> > uid         [ unknown] Test Teststra (Koning van Wezel)
> <test at example.invalid>
> > uid         [ unknown] Test Teststra <test at work.invalid>
> > sub   rsa1024/77A3395A 2012-03-17
> >       Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D
> > sub   rsa2048/38EF7410 2016-01-12
> >       Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63
>
> The keygrip /follows/ the line with the short key ID; we need the
> keygrip for the key with ID 38EF7410, so it's the very last line. The
> other keygrips are for keys that don't have the authentication
> capability and are hence useless to add to sshcontrol.
>
> I used a screen editor, but let's pretend I used the command line... In
> fact, all further lines have been edited to hide my real SSH keys. It's
> probably overkill, but let's be cautious with what we broadcast on the
> internet.
>
> > $ cd .gnupg
> > $ echo '3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 0' >>sshcontrol
> > $ cat .gnupg/sshcontrol
> > # List of allowed ssh keys.  Only keys present in this file are used
> > # in the SSH protocol.  The ssh-add tool may add new entries to this
> > # file to enable them; you may also add them manually.  Comment
> > # lines, like this one, as well as empty lines are ignored.  Lines do
> > # have a certain length limit but this is not serious limitation as
> > # the format of the entries is fixed and checked by gpg-agent. A
> > # non-comment line starts with optional white spaces, followed by the
> > # keygrip of the key given as 40 hex digits, optionally followed by a
> > # the caching TTL in seconds and another optional field for arbitrary
> > # flags.   Prepend the keygrip with an '!' mark to disable it.
> >
> > 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 0
>
> Now let's see if it's known:
>
> > $ ssh-add -L
> > ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAABAQC9V1hmvs5Gg8OqmtHDXfIAKA5Ji0z0+ib5m7DRjX/KXXZvOtwR8QOvsFxffJsXpmp1m7nL/gw+EcjbMDAbo+X05UWKiMwyVdinbnaupFDtk7Z+KBEAYLsvUml23jiBzitLbURC7wFrMTFPVzGY/5ZHw0LaWjSPuQxltjPTnMUcL4F4eyDD2TkmsxmAgNy5xMAjHmGdEaBnFent2hBTMETyeWKlP6glKT67eL2SQn5viHSXK6nVlXsyYsJBIhSPjAagPv1qRtkhinSJaKDUGWZ0vxMpNHscjG4DreWKlzew5UQcBBKleYPl7mSf1Z8UJnwLnYdC0OhjC1dMfyitByhV
> (none)
>
> \o/
>
> If you did it just like this, there's an issue in your setup, as it
> works for me. If you didn't do it like this, ... you probably should ;P.
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160114/99499ad1/attachment-0001.html>

More information about the Gnupg-users mailing list