Hi everyone, I have the following setup: GPG Key (3 subkeys, one of which is for authentification) on a YubiKey and GPG Agent with SSH Agent support accessing that key to authenticate myself on remote servers.
Now, in our organization we user SSH Host Certificates signed by a
central Service for easier trust handling. SSH auth did work well as I
was always used to, until we updated our VMs to Ubuntu 24.04. The SSH
Hostkey registration process did not change and password login was
still possible, however, I now got "GPG Agent error" and an aborted and
failed signing process when using my SSH Key.
After some debugging of the gpg-agent and scdaemon I found, that the
data the ssh service wants to have signed for authentification
increased drastically in length between 20.04 and 24.04 (why I did not
investigate), now it was over 500 bytes, which then lets the check in
agent/call-scd.c line 503 [1] fail as the ASSUAN_LINELENGTH defined in
assuan.h is only 1002.
Has anyone else encountered such a problem before? I did not really
find anyone else with a similar problem on the internet.
Just to test it locally I adapted and compiled libassuan myself.
bumping the afformentioned value to 2002, recompiled the gnupg package
and got it to work again. This is, however, just an intermediate
solution as this obviously breaks my normal system's packaging and
update process.
Does anyone know, if there is a reason for this value to be arbitrarily
at 1000, especially since it is smaller than the length of data some
systems (e.g. ssh) may request to sign. If not, could the
ASSUAN_LINELENGTH be increased in future releases?
Cheers,
Michael
[1] For anyone not willing to look up the code:
if (indatalen*2 + 50 > DIM(line))
return unlock_scd (ctrl, gpg_error (GPG_ERR_GENERAL));
--
Michael Oberrauch
Systemgruppe
IT Operations
School of Computation, Information, and Technology
Technische Universität München
Boltzmannstr. 3
85748 Garching b. München
Deutschland
https://cit.tum.de
oberr...@cit.tum.de
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
