#1008573 gpg-agent -managed SSH keys stored in Yubikeys cannot be used with OpenSSH 8.9

Package:
gpg-agent
Source:
gnupg2
Description:
GNU privacy guard - cryptographic agent
Submitter:
Philippe Grégoire
Date:
2025-01-12 02:51:02 UTC
Severity:
important
Tags:
#1008573#5
Date:
2022-03-28 20:09:18 UTC
From:
To:
Strongly related to openssh 8.9

After upgrading openssh-client to 8.9p1, Yubikey-managed SSH keys
can no longer be used. After downgrading to 1:8.4p1-5, it works.
I believe this is due to recent changes in OpenSSH 8.9 regarding
ssh-agent communication protocol which GnuPG hasn't yet picked up,
but haven't found anything on GnuPG's bug tracker.

$ ssh example.com
sign_and_send_pubkey: signing failed for ED25519 "cardno:XXXXXXXX" from agent: agent refused operation
username@example.com's password:

## See
https://www.openssh.com/agent-restrict.html

## Other reports
https://bugs.archlinux.org/task/74143

## Workaround
I use sid and had to add the stable repo to my sources.list, then
(due to dependencies):

  apt-get install openssh-client=1:8.4p1-5 \
                  openssh-server=1:8.4p1-5 \
                  openssh-sftp-server=1:8.4p1-5

Regards

#1008573#10
Date:
2022-04-11 18:00:55 UTC
From:
To:
Same problem with Gnuk, presumably multiple or all smartcards are
affected?

Although I was until today using openssh 8.9 just fine, it wasn't until
the openssh 9.0 upgrade that it stopped working for me...


live well,
  vagrant

#1008573#15
Date:
2022-04-11 21:18:11 UTC
From:
To:
According to some folks on irc.oftc.net #debian-devel, not all
smartcards are affected, we're the lucky ones!

I am using a fairly old build of gnuk, maybe newer firmware versions
have been made compatible somehow... ?

For me, downgrading to openssh 1:8.9p1-3 seems to work fine.

I've marked that version of openssh as hold for now, but that feels very
wrong. :/


live well,
  vagrant

#1008573#20
Date:
2022-04-17 17:05:54 UTC
From:
To:
Hi,

For anyone who suffers this, the workaround is:

Add `KexAlgorithms=-sntrup761x25519-sha512@openssh.com` to ~/.ssh/config
or `-o KexAlgorithms=-sntrup761x25519-sha512@openssh.com` to the command.

#1008573#31
Date:
2022-04-17 18:27:11 UTC
From:
To:
Thanks!  That works for me with openssh-client 1:9.0p1-1 and gpg-agent
2.2.27-3+b1.

Though for clarity, the ~/.ssh/config option is without the '=':

  KexAlgorithms -sntrup761x25519-sha512@openssh.com


live well,
  vagrant

#1008573#36
Date:
2022-04-22 03:04:15 UTC
From:
To:
I found an issue of scdaemon.  At upstream development, it is tracked by:

https://dev.gnupg.org/T5935

When the data is not so large (smaller than the buffer size of token),
it works using Gnuk, with the patch of scdaemon.

#1008573#41
Date:
2022-04-28 13:11:39 UTC
From:
To:
This bug report was tagged severity "serious"

https://www.debian.org/Bugs/Developer#severities says that severity
level means:

  > is a severe violation of Debian policy (roughly, it violates a
  > "must" or "required" directive), or, in the package maintainer's or
  > release manager's opinion, makes the package unsuitable for release.

I see no justification for that severity level in the discussion, so i'm
changing it to normal.  If you think that's wrong, feel free to reset it
to "serious" with an explicit justification, thanks!

Thanks for tracking this down, gniibe!

If there's a specific patch that we should include in the debian release
of the 2.2 branch, please let me know.  The patch mentioned in
https://dev.gnupg.org/T5935
(https://dev.gnupg.org/rGe8fb8e2b3e66d5ea8a3dc90afdc14611abf2c3da)
doesn't look like it will apply directly to the 2.2 branch.

In the meantime, people with the affected key/hardware combination
should be able to continue using the workaround described by vagrant.

#1008573#50
Date:
2022-09-26 09:38:22 UTC
From:
To:
Hi,

I have a Nitrokey Start that has the same problem, but the suggested
workaround was not enough for me. After a few attempts, I discovered
that I need this in my ssh_config file:

KexAlgorithms -sntrup761x25519-sha512@openssh.com
HostKeyAlgorithms -ecdsa-sha2-nistp256

Notice that after this change connections to hosts that previously used
a ecdsa-sha2-nistp256 host key will fail key verification and trigger
the usual scary message about a MITM attack.

Thanks, Giovanni.

#1008573#55
Date:
2023-04-06 01:12:48 UTC
From:
To:
Hi José and Vagrant,

It seems bugs #998728, 1008573, and #1032907 are all the same. Perhaps
the maintainers would like to merge them.

Thanks for your workaround, Vagrant; I found that adding
	KexAlgorithms -sntrup761x25519-sha512@openssh.com
to my ~/.ssh/config allows me to connect to a Bookworm machine, from
Bookworm, and also to hosts running a newer OpenSSH daemon.

A similar issue upstream is here:
https://dev.gnupg.org/T6250

Werner K. hints that it might be fixed in the GnuPG 2.3 series. As soon
as the maintainers upload it to experimental, I will be happy to test
it.

Thanks everyone for your attention.

#1008573#62
Date:
2024-02-17 15:57:29 UTC
From:
To:
[...]

Hello,

The respective patch was backported by gniibe
https://dev.gnupg.org/rG07e43eda8dc69cecc385a6b3723e155afbc59257 and is
part of 2.2.37.

Do you still see the problem (#998728, 1008573, and #1032907)?

cu Andreas

#1008573#67
Date:
2025-01-12 02:11:15 UTC
From:
To:
I just confirmed that downgrading to openssh-server 1:9.2p1-2+deb12u3
does work again on at least one machine.

live well,
  vagrant

#1008573#72
Date:
2025-01-12 02:06:50 UTC
From:
To:
With the recent update of openssh in bookworm (1:9.2p1-2+deb12u4) this
no longer seems a sufficient workaround; I can no longer ssh in to
machines running this version of openssh.

My hunch is the problem was introduced in a new and exciting way with:

https://bugs.debian.org/1088873
  openssh: please add sntrup761x25519-sha512 as an alias to sntrup761x25519-sha512@openssh.com in 9.2/Bookworm

Specifying both in ~/.ssh/config does not work around the issue for me:

  KexAlgorithms -sntrup761x25519-sha512@openssh.com,-sntrup761x25519-sha512


live well,
  vagrant

#1008573#77
Date:
2025-01-12 02:47:50 UTC
From:
To:
Ok, through trial and error, looping through all the algoritms:

bad diffie-hellman-group1-sha1
bad diffie-hellman-group14-sha1
good diffie-hellman-group14-sha256
bad diffie-hellman-group16-sha512
bad diffie-hellman-group18-sha512
bad diffie-hellman-group-exchange-sha1
good diffie-hellman-group-exchange-sha256
good ecdh-sha2-nistp256
good ecdh-sha2-nistp384
bad ecdh-sha2-nistp521
good curve25519-sha256
good curve25519-sha256@libssh.org
bad sntrup761x25519-sha512
bad sntrup761x25519-sha512@openssh.com

The sha1 ones were not supported on the server side, so no surprise
there.

Looks like all the nistp384 and sha512 all fail.

At least that leaves me with a viable workaround again...

live well,
  vagrant