gpg-agent with OpenSSH_7.6p1 about yubikey-guide HOT 14 CLOSED

This thread was the only helpful result I found in Google when I was searching this error. So I'm adding my experience to the thread.

I resolved this also by cleaning up my ~/.gnupg folder. Specifically, ~/.gnupg/private-keys-v1.d/. I had some crazy 16384 bit RSA key in there that I suspect stayed around even after "removing" it from GPG. I think that was the cause.

✅ I exported my private & public keys, delete ~/.gnupg/private-keys-v1.d/, and had to re-import my private keys after.

from yubikey-guide.

Thanks for the answer. In my case, I cannot put the certs in my .ssh directory, as they are short lived and issued by Gravitational Teleport, which adds them to the local ssh-agent (or in this case, gpg-agent)

from yubikey-guide.

just to add to this:
i was able to resolve this issue by modifying file ~/.gnupg/sshcontrol and removing the offending key.

from yubikey-guide.

I fixed it by cleaning my .gnupg folder. Maybe something old was there preventing the agent from working correctly.
--> Close

from yubikey-guide.

This case can also be produced by adding a SSH Certificate to your agent. gpg-agent will accept it, but doesn't know how to read it back.

from yubikey-guide.

You may be using a key (or connecting to a server) with a key length < 1024 bits. Can you provide more output?

from yubikey-guide.

I am using a YubiKey 4c with a 4096bit key. When I start the gpg-agent as described I get the following error when calling ssh-add -L or when trying to connect to any server.

from yubikey-guide.

What is the length of the server key? I've seen this before on older boxes where the key was generated a while ago. May need to regenerate that key.

from yubikey-guide.

I use SSH certs all the time with my Yubikey without issue.

from yubikey-guide.

I use SSH certs all the time with my Yubikey without issue.

Do you do this with gpg-agent? When I add an ssh cert to my gpg-agent, I run into this bug: https://dev.gnupg.org/T1756

from yubikey-guide.

@thardie I'm following the drduh Yubikey-Guide so I must be using the gpg-agent. I'm using ssh certs for the client, not the server. I need to confirm I haven't added my public key to the servers authorized keys file. I've been using a SSH CA reliably for years, even with my yubikeys.

from yubikey-guide.

@reelsense Do you mind running an "ssh-add -l" and seeing if you have any (RSA-CERT) entries listed with the gpg-agent? I can add the cert to the GPG agent, but thereafter, "ssh-add -l" reports the error @hoegertn mentioned.

EDIT: Also, what version of gpg-agent are you using?

from yubikey-guide.

I have the same issue, by the way. Everything seems to work, but ssh-add -l will report error fetching identities: Invalid key length and I am unable to actually use the identities.

from yubikey-guide.

"@reelsense Do you mind running an "ssh-add -l" and seeing if you have any (RSA-CERT) entries listed with the gpg-agent?"

When I run ssh-add -l I only see my Yubikey. I'm only allowed into my servers because my Yubikey's public key is signed.

"I can add the cert to the GPG agent, but thereafter, "ssh-add -l" reports the error @hoegertn mentioned."

I've never added my cert file to gpg-agent. I just put the cert file in ~/.ssh/ and give it a name that looks like a cert vs a pub key: ~/.ssh/id_rsa-cert.pub. ssh sends any and all of your keys/certs in that folder to every server you attempt a connection to.

When I ssh to my server; ssh examplehost -v, I can see:

debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: cardno:0123456789 RSA SHA256:YTRmMTAwNDU2YzhlMGU5YjUwMjg3ZDdjMThkNGJlMjY1Y2JiYzViZTMwMGNkYWQyYzhhYjQzOWFiODMzOTE3Nw== agent
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/exampleuser/.ssh/id_rsa
debug1: Offering public key: /Users/exampleuser/.ssh/id_rsa RSA-CERT SHA256:YTRmMTAwNDU2YzhlMGU5YjUwMjg3ZDdjMThkNGJlMjY1Y2JiYzViZTMwMGNkYWQyYzhhYjQzOWFiODMzOTE3Nw==
debug1: Server accepts key: /Users/exampleuser/.ssh/id_rsa RSA-CERT SHA256:YTRmMTAwNDU2YzhlMGU5YjUwMjg3ZDdjMThkNGJlMjY1Y2JiYzViZTMwMGNkYWQyYzhhYjQzOWFiODMzOTE3Nw==

And on the server side I see:

/var/log/auth.log

Mar 10 00:10:23 examplehost sshd[4400]: Accepted publickey for exampleuser from 169.169.169.256 port 53040 ssh2: RSA-CERT ID exampleuser (serial 0123456789) CA RSA SHA256:YTRmMTAwNDU2YzhlMGU5YjUwMjg3ZDdjMThkNGJlMjY1Y2JiYzViZTMwMGNkYWQyYzhhYjQzOWFiODMzOTE3Nw==
Mar 10 00:10:23 examplehost sshd[4400]: pam_unix(sshd:session): session opened for user exampleuser by (uid=0)
Mar 10 00:10:23 examplehost systemd-logind[781]: New session 3800 of user exampleuser.
Mar 10 00:10:28 examplehost sshd[4513]: Received disconnect from 169.169.169.256 port 53040:11: disconnected by user
Mar 10 00:10:28 examplehost sshd[4513]: Disconnected from user exampleuser 169.169.169.256 port 53040
Mar 10 00:10:28 examplehost systemd-logind[781]: Removed session 3800.
Mar 10 00:10:28 examplehost sshd[4400]: pam_unix(sshd:session): session closed for user exampleuser
Mar 10 00:10:37 examplehost sshd[4540]: Accepted publickey for exampleuser from 169.169.169.256 port 53050 ssh2: RSA-CERT ID exampleuser (serial 0123456789) CA RSA SHA256:YTRmMTAwNDU2YzhlMGU5YjUwMjg3ZDdjMThkNGJlMjY1Y2JiYzViZTMwMGNkYWQyYzhhYjQzOWFiODMzOTE3Nw==
Mar 10 00:10:37 examplehost sshd[4540]: pam_unix(sshd:session): session opened for user exampleuser by (uid=0)
Mar 10 00:10:37 examplehost systemd-logind[781]: New session 3801 of user exampleuser.

"Also, what version of gpg-agent are you using?"

gpg-agent 2.2.17

from yubikey-guide.