-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all!
I recently found a problem when using OpenPGP cards with gpg-agent in combination with ssh/sshd. Technical details follows: - --- snip ----------------------- > gpg-agent --version gpg-agent (GnuPG) 2.0.0 - --- snip ----------------------- > rpm -qf `which ssh-add` openssh-3.9p1-12.10 - --- snip ----------------------- > ssh-add -l 1024 fingerprint_in_hex cardno:my_card_no (RSA) 1024 fingerprint_in_hex ~/id_dsa (DSA) 1024 fingerprint_in_hex ~/other_id_dsa (DSA) 1024 fingerprint_in_hex ~/other2_id_dsa (DSA) - --- snip ----------------------- (on the remote machine) # rpm -qf `which sshd` openssh-3.9p1-12.10 - --- snip ----------------------- OK. Connecting to the remote via: > ssh -vvvvi ~/.ssh/id_dsa remote_host works perfectly (no card involved) but: > ssh -vvvv remote_host tries to use the card and results in: - --- snip ----------------------- debug2: key: cardno:my_card (0x8095498) debug2: key: ~/.ssh/id_dsa (0x80999b0) debug2: key: ~/.ssh/other_id_dsa (0x8098d98) debug2: key: ~/.ssh/other2_id_dsa (0x8098d98) debug1: Authentications that can continue: publickey,keyboard-interactive debug3: start over, passed a different list publickey,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: cardno:my_card_no debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply Connection closed by remote_host - --- snip ----------------------- and the log on the remote machine explains this abrupt connection loss: - --- snip ----------------------- Dec 5 09:47:19 floyd sshd[4666]: fatal: buffer_get_bignum2: negative numbers not supported Dec 5 09:55:13 floyd sshd[4893]: fatal: buffer_get_bignum2: negative numbers not supported - --- snip ----------------------- The last snippet shows whats going on in gpg-agent: - --- snip ----------------------- [client at fd 4 connected] 4 - 2006-12-05 10:10:37 gpg-agent[10191]: SSH-Handhabungsroutine 0x80858b8 für fd 7 gestartet 4 - 2006-12-05 10:10:37 gpg-agent[10191]: ssh request handler for request_identities (11) started 4 - 2006-12-05 10:10:37 gpg-agent[10191]: new connection to SCdaemon established (reusing) [client at fd 5 connected] 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR $AUTHKEYID 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S $AUTHKEYID OPENPGP.3 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR SERIALNO 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S SERIALNO my_serial_info 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- READKEY OPENPGP.3 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> [ xx xx...(all bytes skipped) ] 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR $DISPSERIALNO 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S $DISPSERIALNO the_displayable_serialno 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 4 - 2006-12-05 10:10:37 gpg-agent[10191]: ssh request handler for request_identities (11) ready 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- RESTART 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 4 - 2006-12-05 10:10:37 gpg-agent[10191]: SSH-Handhabungsroutine 0x80858b8 für fd 7 beendet - --- snip ----------------------- So gpg-agent in conjunction with this ssh version might deliver invalid data to the waiting ssh daemon. I found nothing particular on the mentioned bignum package in sshd though... :-( Anybody knows whats going on with OpenPGP card authentication? Werner? :-) Salut, Jörg - -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFdTik/PQgU9f6RRIRArT4AJ4wXZaBiR8oZWhlvAcZXSOP8VdUcwCgzbs/ aUdw1ByhBJlE8e3C9KeiGsE= =JwLw -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
