Hello, It seems I found a bug in ed25519 key yubikey's support. Long story short : * Generate a ed25519 Gnupg key and 3 subkeys * Generate an ed25519 ssh key pair (SSH authority) * Generate a SSH certificate by signing your public key (from Gnupg) with your SSH authority
=> When deploying SSH authority public key in authorized_keys on a server (with leading cert-authority), you can login with your ssh certificate + private key. Now, move 3 subkeys to the Yubikey (5.2.6 firmware here). => You can't login anymore with message : sign_and_send_pubkey: signing failed for ED25519 "~/.ssh/id_ed25519": agent refused operation To me, it seems the Yubikey is lacking (or buggued) signing operation for ed25519 key. I've not been able to debug more deeper, out of my understanding. Setting directly the ed25519's public key inside authorized_keys file works like a charm. It could also be at the scdaemon or gpg-agent level. Anyone already encountered this error ? I'm probably the only one in the world to try using a ed25519 SSH cert authority with ssh keys on a Yubikey ;-) Thanks for your advices ! Julien _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
