gpg-agent ssh access with OpenPGP card V1.1.
giuseppe at vitillaro.org
Sat Jul 7 10:44:47 CEST 2018
I'm experimenting a problem using the gpg-agent of
the last available version of gnupg, gnupg-2.2.8,
under a Gentoo system.
I'm using an "aged" OpenPGP card, V1.1:
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
Serial number ....: 00001045
to authenticate my ssh access, without problems,
from about ten years.
With gnupg-2.2.8 something seems to be wrong,
the authentication against new versions of the sshd daemon
(version SSH-2.0-OpenSSH_7.5p1) fails while
gpg-agent log show the error:
gpg-agent DBG: chan_11 <- ERR 100663427 Conditions of use not satisfied <SCD>
gpg-agent smartcard signing failed: Conditions of use not satisfied
gpg-agent ssh sign request failed: Conditions of use not satisfied <SCD>
Instead authentication with older versions (SSH-2.0-OpenSSH_5.3) seem
to work correctly.
I know very few things about ciphering and the gnupg
implementation, but, because gnupg-2.2.4 works correctly
in this setup, I tried some naive debugging to trace
the origin of the problem.
Comparing 2.2.8 against 2.2.4, I've found is a small patch of
"agent/command-ssh.c" which seems to let gpg-agent(2.2.8) to work with
my OpenPGP card, a small fragment of code I'm attaching
to this message as "sign.patch".
I'm pretty sure this is just the "surface" of the problem,
as, from my tests, the call
"stream_read_uint32 (request, &flags);"
returns 0x04 into the "flags" variables, which, reading the
code, I think is SSH_AGENT_RSA_SHA2_512, which "match" with
the "request" the sshd is sending to my ssh client (same
Server accepts key: pkalg rsa-sha2-512 blen 151
The OpenPGP card V1.1 only accepts:
SHA1, SHA256, RIPEMD160
and it looks to my naive eyes the "agent/command-ssh.c"
code is "forcing", when it receive "flags==0x04":
spec.hash_algo = GCRY_MD_SHA512;
while my OpenPGP card seems to work only with:
hash_algo = GCRY_MD_SHA1;
My patch is just a way to debug the problem, I'm coming
to the list to ask advices about the correct way to
fix this problem.
Regards, G. Vitillaro.
-------------- next part --------------
--- a/agent/command-ssh.c 2018-04-10 07:56:52.000000000 +0200
+++ b/agent/command-ssh.c 2018-07-06 18:49:38.979118383 +0200
@@ -2890,31 +2890,6 @@
err = stream_read_uint32 (request, &flags);
- if (spec.algo == GCRY_PK_RSA)
- if ((flags & SSH_AGENT_RSA_SHA2_512))
- flags &= ~SSH_AGENT_RSA_SHA2_512;
- spec.ssh_identifier = "rsa-sha2-512";
- spec.hash_algo = GCRY_MD_SHA512;
- if ((flags & SSH_AGENT_RSA_SHA2_256))
- /* Note: We prefer SHA256 over SHA512. */
- flags &= ~SSH_AGENT_RSA_SHA2_256;
- spec.ssh_identifier = "rsa-sha2-256";
- spec.hash_algo = GCRY_MD_SHA256;
- /* Some flag is present that we do not know about. Note that
- * processed or known flags have been cleared at this point. */
- if (flags)
- err = gpg_error (GPG_ERR_UNKNOWN_OPTION);
- goto out;
hash_algo = spec.hash_algo;
More information about the Gnupg-users