[pkg-gnupg-maint] Bug#1032907: gpg-agent: "agent refused operation" with openpgp smartcard connecting to openssh-server 9.x

Vagrant Cascadian vagrant at debian.org
Mon Mar 13 19:44:29 GMT 2023 

Package: gpg-agent
Version: 2.2.40-1
Severity: normal
X-Debbugs-Cc: vagrant at debian.org

I recently switched to a new laptop running bookworm, and started
noticing issues connecting to machines running openssh server 0.9.x
(e.g. running bookworm).

  debug3: authmethod_is_enabled publickey
  debug1: Next authentication method: publickey
  debug1: Offering public key: cardno:FFFE 87023833 ED25519 SHA256:SrXM0ACTMy3d2DkLRt/UehScFvN8w+62NoN9/6+u5Kg agent
  debug3: send packet: type 50
  debug2: we sent a publickey packet, wait for reply
  debug3: receive packet: type 60
  debug1: Server accepts key: cardno:FFFE 87023833 ED25519 SHA256:SrXM0ACTMy3d2DkLRt/UehScFvN8w+62NoN9/6+u5Kg agent
  debug3: sign_and_send_pubkey: using publickey-hostbound-v00 at openssh.com with ED25519 SHA256:SrXM0ACTMy3d2DkLRt/UehScFvN8w+62NoN9/6+u5Kg
  debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:SrXM0ACTMy3d2DkLRt/UehScFvN8w+62NoN9/6+u5Kg
  sign_and_send_pubkey: signing failed for ED25519 "cardno:FFFE 87023833" from agent: agent refused operation
  debug1: Trying private key: /home/vagrant/.ssh/id_rsa
  ...

I would assume that this is some client-side interaction, since the
agent is running locally, but this same setup works fine when connecting
to systems running older versions of openssh server
(e.g. bullseye)... so there is definitely something about the newer
openssh server versions that triggers the issue.

I can also try using my older laptop, which was also running bookworm,
to see if I missed something in the configuration.

The openpgp smartcard is a fairly old gnuk firmware, fwiw.

live well,
  vagrant

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-6-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gpg-agent depends on:
ii  gpgconf                     2.2.40-1
ii  init-system-helpers         1.65.2
ii  libassuan0                  2.5.5-5
ii  libc6                       2.36-8
ii  libgcrypt20                 1.10.1-3
ii  libgpg-error0               1.46-1
ii  libnpth0                    1.6-3
ii  pinentry-curses [pinentry]  1.2.1-1
ii  pinentry-gnome3 [pinentry]  1.2.1-1

Versions of packages gpg-agent recommends:
ii  gnupg  2.2.40-1

Versions of packages gpg-agent suggests:
ii  dbus-user-session  1.14.6-1
ii  libpam-systemd     252.6-1
ii  pinentry-gnome3    1.2.1-1
ii  scdaemon           2.2.40-1

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20230313/53b7499e/attachment.sig>

More information about the pkg-gnupg-maint mailing list