Mailing List Archive

Yubikey : ed25519 signing failed
Hello,
It seems I found a bug in ed25519 key yubikey's support.

Long story short :
* Generate a ed25519 Gnupg key and 3 subkeys
* Generate an ed25519 ssh key pair (SSH authority)
* Generate a SSH certificate by signing your public key (from Gnupg)
with your SSH authority

=> When deploying SSH authority public key in authorized_keys on a
server (with leading cert-authority), you can login with your ssh
certificate + private key.

Now, move 3 subkeys to the Yubikey (5.2.6 firmware here).

=> You can't login anymore with message :
sign_and_send_pubkey: signing failed for ED25519 "~/.ssh/id_ed25519":
agent refused operation

To me, it seems the Yubikey is lacking (or buggued) signing operation
for ed25519 key. I've not been able to debug more deeper, out of my
understanding.

Setting directly the ed25519's public key inside authorized_keys file
works like a charm.

It could also be at the scdaemon or gpg-agent level.

Anyone already encountered this error ?
I'm probably the only one in the world to try using a ed25519 SSH cert
authority with ssh keys on a Yubikey ;-)

Thanks for your advices !
Julien

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Yubikey : ed25519 signing failed [ In reply to ]
On 2020-07-29 at 11:26 +0200, Julien Escario via Gnupg-users wrote:
> Hello,
> It seems I found a bug in ed25519 key yubikey's support.
>
> Long story short :
> * Generate a ed25519 Gnupg key and 3 subkeys
> * Generate an ed25519 ssh key pair (SSH authority)
> * Generate a SSH certificate by signing your public key (from Gnupg)
> with your SSH authority
>
> => When deploying SSH authority public key in authorized_keys on a
> server (with leading cert-authority), you can login with your ssh
> certificate + private key.
>
> Now, move 3 subkeys to the Yubikey (5.2.6 firmware here).
>
> => You can't login anymore with message :
> sign_and_send_pubkey: signing failed for ED25519 "~/.ssh/id_ed25519":
> agent refused operation
>
> To me, it seems the Yubikey is lacking (or buggued) signing operation
> for ed25519 key. I've not been able to debug more deeper, out of my
> understanding.
>
> Setting directly the ed25519's public key inside authorized_keys file
> works like a charm.

You probably meant "~/.ssh/id_ed25519", not authorized_keys.


> It could also be at the scdaemon or gpg-agent level.
>
> Anyone already encountered this error ?
> I'm probably the only one in the world to try using a ed25519 SSH cert
> authority with ssh keys on a Yubikey ;-)
>
> Thanks for your advices !
> Julien

I don't think it will end up being a Yubikey problem. Is signing a
message with a ed25519 key stored in the yubikey working?

Signing a message or an authentication attempt should make no difference
for the Yubikey.

Can the agent/scdaemon open the device in order to communicate with the
Yubikey? Some permission issues end up as the generic "agent refused
operation" errors from the client pov, but they end up being silly
things like lack of rights to open a /dev/ file, such as the pinentry
unable to open the tty.

Best regards



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users