Mailing List Archive: agent refused operation when using GnuPG key for ssh

agent refused operation when using GnuPG key for ssh

Sep 28, 2020, 11:24 AM

Post #1 of 3 (279 views)

I am trying to configure gpg key for ssh authentication. I have added a
new key specifically for authentication (usage). And then exported the
public key using --export-ssh-key and saved on the remote server
authorized_keys.

~/.gnupg/gpg-agent.conf
~/.gnupg/sshcontrol

The above files are configured accordingly. And in my ~/.zshrc, I have,

--8<---------------cut here---------------start------------->8---
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
--8<---------------cut here---------------end--------------->8---

But when I connect using ssh, it tries to login using the GnuPG key. But
gets - agent refused operation - error. Below is the log.

--8<---------------cut here---------------start------------->8---
debug1: Offering public key: (none) RSA SHA256:JDqSzpk8xTHxmB9ba98TuTwaiObrzU5/bFrHQwrvRdY agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: (none) RSA SHA256:JDqSzpk8xTHxmB9ba98TuTwaiObrzU5/bFrHQwrvRdY agent
debug3: sign_and_send_pubkey: RSA SHA256:JDqSzpk8xTHxmB9ba98TuTwaiObrzU5/bFrHQwrvRdY
debug3: sign_and_send_pubkey: signing using rsa-sha2-512
sign_and_send_pubkey: signing failed: agent refused operation
debug1: Offering public key: /Users/pankaj/.ssh/id_rsa RSA SHA256:fwEoS8jdY2L/ETw75CuRQLL05IMBRTFK8kHk89s0+M8
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /Users/pankaj/.ssh/id_rsa RSA SHA256:fwEoS8jdY2L/ETw75CuRQLL05IMBRTFK8kHk89s0+M8
debug3: sign_and_send_pubkey: RSA SHA256:fwEoS8jdY2L/ETw75CuRQLL05IMBRTFK8kHk89s0+M8
debug3: sign_and_send_pubkey: signing using rsa-sha2-512
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
--8<---------------cut here---------------end--------------->8---

How to diagnose this further?

--
Pankaj Jangid

GnuPG Fingerprint => 0B62 7424 3B26 A911 052A DDE6 7C95 6E6F F858 7689

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: agent refused operation when using GnuPG key for ssh [ In reply to ]

gnupg-users at gnupg

Sep 29, 2020, 1:01 PM

Post #2 of 3 (279 views)

Permalink

On Mon, 28 Sep 2020 23:54, Pankaj Jangid said:
> debug3: sign_and_send_pubkey: signing using rsa-sha2-512
> sign_and_send_pubkey: signing failed: agent refused operation

Algorithm looks okay. You need to look at the gpg-agent log. Put

log-file /somewhere/gpg-agent.log
verbose

into ~/.gnupg/gpg-agent.conf and restart the agent ("gpgconf --reload
gpg-agent" should be sufficient. Run ssh again, check the log and post
it. What vesion of GnUPg are you running? ("gpg-agent --version").

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Re: agent refused operation when using GnuPG key for ssh [ In reply to ]

pankaj at codeisgreat

Sep 30, 2020, 1:41 AM

Post #3 of 3 (279 views)

Permalink

On Tue, Sep 29 2020, Werner Koch via Gnupg-users wrote:

> On Mon, 28 Sep 2020 23:54, Pankaj Jangid said:
>> debug3: sign_and_send_pubkey: signing using rsa-sha2-512
>> sign_and_send_pubkey: signing failed: agent refused operation
>
> Algorithm looks okay. You need to look at the gpg-agent log. Put
>
> log-file /somewhere/gpg-agent.log
> verbose
>
> into ~/.gnupg/gpg-agent.conf and restart the agent ("gpgconf --reload
> gpg-agent" should be sufficient. Run ssh again, check the log and post
> it. What vesion of GnUPg are you running? ("gpg-agent --version").

(Fixed)

The error was coming because it could not find the tty to ask for
passphrase. Now I am doing this in my ~/.bash_profile

#+BEGIN_SRC bash
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpg-connect-agent updatestartuptty /bye
#+END_SRC

In the stackoverflow archives, someone indicated about installing
pinentry-mac for macOS. This gave me hint. I had the pinentry-curses
already installed. So looked for how to tell this to gpg-agent and found
this,

https://www.gnupg.org/documentation/manuals/gnupg/Agent-Protocol.html#Agent-Protocol

Then ran,

gpg-connect-agent 'help updatestartuptty'

Regards

--
Pankaj Jangid

GnuPG Fingerprint => 0B62 7424 3B26 A911 052A DDE6 7C95 6E6F F858 7689

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mailing List Archive

Mailing List Archive

Attached Files: