SSH CA + gpg-agent + gnuk => error

Brennecke, Simon simon.brennecke at
Wed Oct 16 15:41:38 CEST 2019

Hi guys,

I have a question regarding the interaction of SSH with gpg-agent (and possibly also gnuk).

I started out with the following setup:

Every admin has his own ssh private key.
All private keys are signed with an SSH CA.
The server trust the CA, and thus the admins can login.
No need to deploy individual keys, only the CA.

Now I wanted to store my private key in gnuk to protect it better.

So I generated a new ECC key in gnuk, imported the public keys in gpg.
Added the keygrip everything to "~/.gnupg/sshcontrol"
"ssh-add -L" shows me the key.
I signed it with the CA.
ssh tries to use the key...
... and this is where the error pops up.

ssh tells me:
sign_and_send_pubkey: signing failed: agent refused operation

and gpg-agent tells me:
gpg-agent[21629]: ssh request handler for sign_request (13) started
gpg-agent[21629]: DBG: detected card with S/N D276000124010200FFFE430322340000
gpg-agent[21629]: smartcard signing failed: General error
gpg-agent[21629]: ssh sign request failed: General error <GPG Agent>

Without the CA (when I deploy my key explicitly on the server) it works fine.
I'm not sure where the issue comes from.
>From my understanding of ssh's internal workings, gnupg should not even get informed that now a CA is used.

Out of curiosity I tried the hole thing again, but without gnuk. Instead I stored the private key in gpg. And that works even with the SSH CA.

Any ideas? Am I missing something obvious here? Or could this be a bug?

Thanks & Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-users mailing list