Yubikey : ed25519 signing failed

[Ángel]

On 2020-07-29 at 11:26 +0200, Julien Escario via Gnupg-users wrote:
> Hello,
> It seems I found a bug in ed25519 key yubikey's support.
> 
> Long story short :
> * Generate a ed25519 Gnupg key and 3 subkeys
> * Generate an ed25519 ssh key pair (SSH authority)
> * Generate a SSH certificate by signing your public key (from Gnupg)
> with your SSH authority
> 
> => When deploying SSH authority public key in authorized_keys on a
> server (with leading cert-authority), you can login with your ssh
> certificate + private key.
> 
> Now, move 3 subkeys to the Yubikey (5.2.6 firmware here).
> 
> => You can't login anymore with message :
> sign_and_send_pubkey: signing failed for ED25519 "~/.ssh/id_ed25519":
> agent refused operation
> 
> To me, it seems the Yubikey is lacking (or buggued) signing operation
> for ed25519 key. I've not been able to debug more deeper, out of my
> understanding.
> 
> Setting directly the ed25519's public key inside authorized_keys file
> works like a charm.

You probably meant "~/.ssh/id_ed25519", not authorized_keys.


> It could also be at the scdaemon or gpg-agent level.
> 
> Anyone already encountered this error ?
> I'm probably the only one in the world to try using a ed25519 SSH cert
> authority with ssh keys on a Yubikey ;-)
> 
> Thanks for your advices !
> Julien

I don't think it will end up being a Yubikey problem. Is signing a
message with a ed25519 key stored in the yubikey working?

Signing a message or an authentication attempt should make no difference
for the Yubikey.

Can the agent/scdaemon open the device in order to communicate with the
Yubikey? Some permission issues end up as the generic "agent refused
operation" errors from the client pov, but they end up being silly
things like lack of rights to open a /dev/ file, such as the pinentry
unable to open the tty.

Best regards