[Gnuk-users] Ed25519 SSH key not working for gnupg > 2.1.6

Fri May 6 11:10:15 UTC 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Am 06.05.2016 um 02:01 schrieb NIIBE Yutaka <gniibe at fsij.org>:

> Sorry, I don't understand what's going on.  It seems that there are
> two (or more) different issues on your side.  Please describe your
> problem one by one, so that it can be reproducible, hopefully.

I might have been a little unclear here: I have an Ed25519
authentication key on my Gnuk that I want to use for SSH. This worked
fine until GnuPG 2.1.6, for any later version, it fails, giving me the
"Permission denied (publickey)." error. When then using ssh-add -L to
list all keys the agent knows about, I get the error mentioned in the
mail before.

> Ed25519 auth key on Gnuk Token works fine for me with GnupG 2.1.12 and
> libgcrypt 1.7.0.

Interesting. That's exactly the setup I'm trying to use.

> If your shadowed secret key on host PC was created
> by old version of GnuPG, it would be good to remove it and regenerate
> again.

Well, all I did is import the private key, mark it as ultimately trusted
and run

  $ gpg --card-status

which picked up the key just find and after which it just worked. This
was done with a GPG version <= 2.1.6, indeed.

> You can identify the key grip of your key by:
> 
>    $ gpg-connect-agent "keyinfo --list" /bye
>    ...
>    S KEYINFO 72E8E0D83FF6F53CECEB4ADA4986A1178F28850E T D276000124010200FFFE872549450000 OPENPGP.3 - - - - -
>    ...
> 
> Here, I found my auth key (OPENPGP.3 means auth key, while OPENPGP.1
> is signing key, and OPENPGP.2 is decryption key) in the list.  In the
> output, 72E8E0D83FF6F53CECEB4ADA4986A1178F28850E is the keygrip.

That's interesting. I actually get OPENPGP.1, OPENPGP.2 and OPENGPG.3
twice, each of them. But they all share the last component.

Is this maybe because I used a different key with my Gnuk before?

> Remove it:
> 
>    $ rm ~/.gnupg/private-keys-v1.d/72E8E0D83FF6F53CECEB4ADA4986A1178F28850E.key

Since the above mentioned problem, I went ahead and did

  $ cd ~/.gnupg/private-keys-v1.d
  $ rm $(fgrep -l shadowed-private)

This still leaves two keys for me, but 

  $ gpg --list-secret-keys

shows nothing. Weird.

> 
> Then, regenerate it by:
> 
>    $ gpg2 --card-status
> 
> You will get new ~/.gnupg/private-keys-v1.d/72E8E0D83FF6F53CECEB4ADA4986A1178F28850E.key

I got those indeed, but it does not help at all:

  $ SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh ssh-add -L
  error fetching identities for protocol 1: agent refused operation
  error fetching identities for protocol 2: invalid format
  The agent has no identities.

- --
Jonathan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EARYKAAYFAlcse1UACgkQM4w1QdtU4Wl8zwD+LI9YXPtN2vA6gLxi17lUXjoW
JghRbD7VpUfkOKWrgc8BANVUPfQgE7B4N1/vpT7X8A725PpxBk8Ity+pjGk8GzoN
=zVZw
-----END PGP SIGNATURE-----