Bug#1032907: gpg-agent: "agent refused operation" with openpgp smartcard connecting to openssh-server 9.x

Mon, 13 Mar 2023 12:48:15 -0700 

Package: gpg-agent
Version: 2.2.40-1
Severity: normal
X-Debbugs-Cc: vagr...@debian.org

I recently switched to a new laptop running bookworm, and started
noticing issues connecting to machines running openssh server 0.9.x
(e.g. running bookworm).

  debug3: authmethod_is_enabled publickey
  debug1: Next authentication method: publickey
  debug1: Offering public key: cardno:FFFE 87023833 ED25519 
SHA256:SrXM0ACTMy3d2DkLRt/UehScFvN8w+62NoN9/6+u5Kg agent
  debug3: send packet: type 50
  debug2: we sent a publickey packet, wait for reply
  debug3: receive packet: type 60
  debug1: Server accepts key: cardno:FFFE 87023833 ED25519 
SHA256:SrXM0ACTMy3d2DkLRt/UehScFvN8w+62NoN9/6+u5Kg agent
  debug3: sign_and_send_pubkey: using publickey-hostbound-...@openssh.com with 
ED25519 SHA256:SrXM0ACTMy3d2DkLRt/UehScFvN8w+62NoN9/6+u5Kg
  debug3: sign_and_send_pubkey: signing using ssh-ed25519 
SHA256:SrXM0ACTMy3d2DkLRt/UehScFvN8w+62NoN9/6+u5Kg
  sign_and_send_pubkey: signing failed for ED25519 "cardno:FFFE 87023833" from 
agent: agent refused operation
  debug1: Trying private key: /home/vagrant/.ssh/id_rsa
  ...

I would assume that this is some client-side interaction, since the
agent is running locally, but this same setup works fine when connecting
to systems running older versions of openssh server
(e.g. bullseye)... so there is definitely something about the newer
openssh server versions that triggers the issue.

I can also try using my older laptop, which was also running bookworm,
to see if I missed something in the configuration.

The openpgp smartcard is a fairly old gnuk firmware, fwiw.

live well,
  vagrant

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing'), (1, 'experimental'), 
(1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-6-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gpg-agent depends on:
ii  gpgconf                     2.2.40-1
ii  init-system-helpers         1.65.2
ii  libassuan0                  2.5.5-5
ii  libc6                       2.36-8
ii  libgcrypt20                 1.10.1-3
ii  libgpg-error0               1.46-1
ii  libnpth0                    1.6-3
ii  pinentry-curses [pinentry]  1.2.1-1
ii  pinentry-gnome3 [pinentry]  1.2.1-1

Versions of packages gpg-agent recommends:
ii  gnupg  2.2.40-1

Versions of packages gpg-agent suggests:
ii  dbus-user-session  1.14.6-1
ii  libpam-systemd     252.6-1
ii  pinentry-gnome3    1.2.1-1
ii  scdaemon           2.2.40-1

-- no debconf information

Attachment: signature.asc
Description: PGP signature

Reply via email to