OpenPGP card with 25519 key breaks SSH sntrup761x25519-sha512 at openssh.com

Simon Josefsson simon at josefsson.org
Fri Dec 30 15:04:44 CET 2022


Hi.

When I SSH with gpg-agent's ssh-agent emulation, this happens:

jas at kaka ~$ ssh root at 192.168.10.186
sign_and_send_pubkey: signing failed for ED25519 "cardno:FFFE 42315277" from agent: agent refused operation
root at 192.168.10.186: Permission denied (publickey).
jas at kaka ~$ 

Tracking it down, it only occurs when both of these holds:

1) Modern enough SSH versions that prefers
sntrup761x25519-sha512 at openssh.com over curve25519-sha256.  To force it:
ssh -oKexAlgorithms=sntrup761x25519-sha512 at openssh.com root at 192.168.10.186

2) The 25519 key is on an OpenPGP card.  I verified that 'ssh-keygen -t
ed25519' and using that key works successfully with
sntrup761x25519-sha512, so the problem is likely not within the OpenSSH
server or client.  I have verified the problem with two different
OpenPGP cards, Gnuk1.2.20 at FST01SZ and YubiKey, so it is likely not a
card problem.

Isn't this supposed to work?

The workaround is to use the old default of curve25519-sha256:

jas at kaka ~$ ssh -oKexAlgorithms=curve25519-sha256 root at 192.168.10.186

Then it works.

I enable debugging and restarting scdaemon as follows:

jas at kaka ~$ cat>.gnupg/scdaemon.conf
debug-all        
log-file /tmp/scd.log
jas at kaka ~$ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
OK
ERR 67125247 Slut på fil <GPG Agent>
jas at kaka ~$ 

The relevant output from a failing SSH command:

DBG: chan_7 <- SERIALNO
DBG: chan_7 -> S SERIALNO D276000124010200FFFE423152770000
DBG: chan_7 -> OK
DBG: chan_7 <- GETINFO card_list
DBG: chan_7 -> S SERIALNO D276000124010200FFFE423152770000
DBG: chan_7 -> OK
DBG: chan_7 <- SERIALNO --demand=D276000124010200FFFE423152770000
DBG: chan_7 -> S SERIALNO D276000124010200FFFE423152770000
DBG: chan_7 -> OK
DBG: chan_7 <- GETATTR $AUTHKEYID
DBG: chan_7 -> S $AUTHKEYID OPENPGP.3
DBG: chan_7 -> OK
DBG: chan_7 <- GETATTR SERIALNO
DBG: chan_7 -> S SERIALNO D276000124010200FFFE423152770000
DBG: chan_7 -> OK
DBG: chan_7 <- READKEY OPENPGP.3
DBG: chan_7 -> [ 44 20 28 31 30 3a 70 75 62 6c 69 63 2d 6b 65 79 ...(85 byte(s) skipped) ]
DBG: chan_7 -> OK
DBG: chan_7 <- GETATTR $DISPSERIALNO
DBG: chan_7 -> S $DISPSERIALNO FFFE+42315277
DBG: chan_7 -> OK
DBG: chan_7 <- SERIALNO --demand=D276000124010200FFFE423152770000
DBG: chan_7 -> S SERIALNO D276000124010200FFFE423152770000
DBG: chan_7 -> OK
DBG: chan_7 <- SETDATA 3021300906052B0E03021A0500041400000040FAE895F31F2660B12248ED8BBF26A300125BABD0322CDDF09E9C15D963528F3EE5C65FED25D5F4A06A00C870ECA356EFAC01EC6AF60908B7F792C0B52571FB103200000004726F6F740000000E7373682D636F6E6E656374696F6E000000237075626C69636B65792D686F7374626F756E642D763030406F70656E7373682E636F6D010000000B7373682D65643235353139000000330000000B7373682D6564323535313900000020BCC215C1C7ACACD548F0C36AB64F62A9FCF47E533DAC7070E460460FB80DA804000000330000000B7373682D65643235353139000000209E01C3E55A1A346ED50BA91A9AE6752CED4ACC5B747450EC58B33E558718BC44
DBG: chan_7 -> OK
DBG: chan_7 <- PKAUTH 24C58979C8A143555526ECBA27CE64C86D0D563D
DBG: send apdu: c=00 i=88 p1=00 p2=00 lc=260 le=256 em=0
operation auth result: Invalid value
app_auth failed: Invalid value
DBG: chan_7 -> ERR 100663351 Invalid value <SCD>
DBG: chan_7 <- RESTART
DBG: chan_7 -> OK

Releant part when I use -oKexAlgorithms=curve25519-sha256 for a
successfull SSH command:

2022-12-30 14:55:37 scdaemon[8885] DBG: chan_7 <- SETDATA 3021300906052B0E03021A05000414000000201B17C1E7A476E697A846BFEC82D58277CE29BE5D5E4729707B50817AB58DAEAA3200000004726F6F740000000E7373682D636F6E6E656374696F6E000000237075626C69636B65792D686F7374626F756E642D763030406F70656E7373682E636F6D010000000B7373682D65643235353139000000330000000B7373682D6564323535313900000020BCC215C1C7ACACD548F0C36AB64F62A9FCF47E533DAC7070E460460FB80DA804000000330000000B7373682D65643235353139000000209E01C3E55A1A346ED50BA91A9AE6752CED4ACC5B747450EC58B33E558718BC44
2022-12-30 14:55:37 scdaemon[8885] DBG: chan_7 -> OK
2022-12-30 14:55:37 scdaemon[8885] DBG: chan_7 <- PKAUTH 24C58979C8A143555526ECBA27CE64C86D0D563D
2022-12-30 14:55:37 scdaemon[8885] DBG: send apdu: c=00 i=88 p1=00 p2=00 lc=228 le=256 em=0
2022-12-30 14:55:37 scdaemon[8885] DBG:   PCSC_data: 00 88 00 00 E4 00 00 00 20 1B 17 C1 E7 A4 76 E6 97 A8 46 BF EC 82 D5 82 77 CE 29 BE 5D 5E 47 29 70 7B 50 81 7A B5 8D AE AA 32 00 00 00 04 72 6F 6F 74 00 00 00 0E 73 73 68 2D 63 6F 6E 6E 65 63 74 69 6F 6E 00 00 00 23 70 75 62 6C 69 63 6B 65 79 2D 68 6F 73 74 62 6F 75 6E 64 2D 76 30 30 40 6F 70 65 6E 73 73 68 2E 63 6F 6D 01 00 00 00 0B 73 73 68 2D 65 64 32 35 35 31 39 00 00 00 33 00 00 00 0B 73 73 68 2D 65 64 32 35 35 31 39 00 00 00 20 BC C2 15 C1 C7 AC AC D5 48 F0 C3 6A B6 4F 62 A9 FC F4 7E 53 3D AC 70 70 E4 60 46 0F B8 0D A8 04 00 00 00 33 00 00 00 0B 73 73 68 2D 65 64 32 35 35 31 39 00 00 00 20 9E 01 C3 E5 5A 1A 34 6E D5 0B A9 1A 9A E6 75 2C ED 4A CC 5B 74 74 50 EC 58 B3 3E 55 87 18 BC 44 00
2022-12-30 14:55:37 scdaemon[8885] DBG:  response: sw=9000  datalen=64
2022-12-30 14:55:37 scdaemon[8885] DBG:       dump:  7E 25 60 36 E3 B5 34 22 74 C0 DD 0C 08 84 70 AE B2 A9 2F A4 75 66 A2 AF 48 C2 BE C3 5C 29 6B CD 1D 37 38 2C 32 ED BC 40 8D C5 E3 C4 3F 8A 7E D3 B2 BA C3 93 BE F1 F7 60 A0 55 A4 A1 AE AF 8A 03
2022-12-30 14:55:37 scdaemon[8885] operation auth result: Success
2022-12-30 14:55:37 scdaemon[8885] DBG: chan_7 -> [ 44 20 7e 25 32 35 60 36 e3 b5 34 22 74 c0 dd 0c ...(52 byte(s) skipped) ]
2022-12-30 14:55:37 scdaemon[8885] DBG: chan_7 -> OK
2022-12-30 14:55:37 scdaemon[8885] DBG: chan_7 <- RESTART
2022-12-30 14:55:37 scdaemon[8885] DBG: chan_7 -> OK

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20221230/875f5ae7/attachment.sig>


More information about the Gnupg-users mailing list