#23 SSH broken with gpg-agent

Closed on November 23, 2020
srhb on November 11, 2020

This has been discussed elsewhere, eg. in this thread by @cole-h ( edit: forgot the link: https://twitter.com/helbling_cole/status/1324777474681495553 ) but I figured it would be good to have a tracking issue for it. I’m not sure this is the right place for it though, so please direct me elsewhere if that’s the case. :-)

It appears on the surface as if the ssh server on nest.pijul.com is, for some reason, unable to authenticate users using gpg-agent, or perhaps it’s related to gpg auth subkeys. For instance, I have an RSA subkey that works just fine with my openssh servers, but nest.pijul.com does not acknowledge it.

I’m unsure exactly what kind of debug information you’d like, but here’s a snip for ssh -vvv using that key for nest.pijul.com

debug1: Offering public key: /home/sarah/.ssh/69A6DCEE0E0C396E497BBF1B4E944A37D6E0A01A.pub RSA SHA256:WjYm2QzkdUZkLvS41OMa0zpNOy/g5UhHnHwsO9Qw0lE explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51

And then it moves on to other authentication methods. For contrast, with an openssh server that accepts it:

debug1: Offering public key: /home/sarah/.ssh/69A6DCEE0E0C396E497BBF1B4E944A37D6E0A01A.pub RSA SHA256:WjYm2QzkdUZkLvS41OMa0zpNOy/g5UhHnHwsO9Qw0lE explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/sarah/.ssh/69A6DCEE0E0C396E497BBF1B4E944A37D6E0A01A.pub RSA SHA256:WjYm2QzkdUZkLvS41OMa0zpNOy/g5UhHnHwsO9Qw0lE explicit agent
debug3: sign_and_send_pubkey: RSA SHA256:WjYm2QzkdUZkLvS41OMa0zpNOy/g5UhHnHwsO9Qw0lE
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:WjYm2QzkdUZkLvS41OMa0zpNOy/g5UhHnHwsO9Qw0lE
cole-h on November 11, 2020

(“this thread” probably being https://nest.pijul.com/pijul/pijul/discussions/12 or https://twitter.com/helbling_cole/status/1324777474681495553 and following tweets)

srhb on November 11, 2020

Thanks, I edited the original post. I was referring to the tweets. Not enough coffee yet. :-)

pmeunier on November 12, 2020

Thanks for this report, I just pushed this change to Thrussh.

It turned out Thrussh hadn’t been tested with agents (such as GPG) that sign their messages using SHA1. For some context, RSA can’t sign large messages, it is mostly used to sign hashes, and SHA1 is flawed.

This is fixed now, I just published thrussh-keys 0.18.1.

One of my goals with Thrussh is to avoid outdated crypto as much as possible. Obviously, GPG doesn’t help very much with that.

pmeunier closed this discussion on November 12, 2020
cole-h on November 12, 2020

Can confirm, now it works! I just had to apply the change I submitted at https://nest.pijul.com/pijul/thrussh/discussions/4 for things to build.

srhb on November 14, 2020

Odd, still no luck here. @cole-h what did you do to make it work? I have a pijul built against thrussh-keys 1.18.2, but the nest still doesn’t care much for me.

srhb on November 14, 2020

Reopening, seems to me that some other problem might have been fixed, but nest.pijul.com still rejects my key.

srhb reopened this discussion on November 14, 2020
pmeunier on November 14, 2020

Thanks for your patience, we’re getting there. I’ll test this soon.

pmeunier on November 23, 2020

Fixed and tested with gpg-agent and an RSA key. The issue was that since RSA signs only short messages, it usually signs hashes, not direct contents. The key stored in the GPG agent describes a hash algorithm, but then GPG may sign messages with a different hash algorithm.

If you get a chance, please confirm.

srhb on November 23, 2020

Confirmed! I am now able to to use pijul clone with the nest via ssh. Thank you! :-)

srhb closed this discussion on November 23, 2020