Yubikey : ed25519 signing failed

Julien Escario julien.escario at altinea.fr
Wed Jul 29 11:26:47 CEST 2020


Hello,
It seems I found a bug in ed25519 key yubikey's support.

Long story short :
* Generate a ed25519 Gnupg key and 3 subkeys
* Generate an ed25519 ssh key pair (SSH authority)
* Generate a SSH certificate by signing your public key (from Gnupg)
with your SSH authority

=> When deploying SSH authority public key in authorized_keys on a
server (with leading cert-authority), you can login with your ssh
certificate + private key.

Now, move 3 subkeys to the Yubikey (5.2.6 firmware here).

=> You can't login anymore with message :
sign_and_send_pubkey: signing failed for ED25519 "~/.ssh/id_ed25519":
agent refused operation

To me, it seems the Yubikey is lacking (or buggued) signing operation
for ed25519 key. I've not been able to debug more deeper, out of my
understanding.

Setting directly the ed25519's public key inside authorized_keys file
works like a charm.

It could also be at the scdaemon or gpg-agent level.

Anyone already encountered this error ?
I'm probably the only one in the world to try using a ed25519 SSH cert
authority with ssh keys on a Yubikey ;-)

Thanks for your advices !
Julien



More information about the Gnupg-users mailing list