Can't login to SSH with OpenPGP card

I am using GPG4Win with a OpenPGP V3.3 card.
It works great to authenticate with Putty out of the box.
But If I want to use command line based SSH client it fails and I don’t understand why.

According to this guide
https://developers.yubico.com/PGP/SSH_authentication/Windows.html
I have created the config file %APPDATA%.gnupg\gpg-agent.conf
and added:
enable-putty-support
enable-ssh-support
use-standard-socket
default-cache-ttl 600
max-cache-ttl 7200

Then I restarted the agent with
gpg-connect-agent killagent /bye
gpg-connect-agent /bye

Still it only works in Putty!

What I have also tried is getting the socket with:
gpgconf --list-dirs agent-socket C:\Users\MYUSER\AppData\Roaming\gnupg\S.gpg-agent

and then starting the ssh client with an extra parameter that points to that socket
ssh -o IdentityAgent=C:\Users\MYUSER\AppData\Roaming\gnupg\S.gpg-agent -v MYUSER@MYIP

But then I just get an error “pubkey_prepare: ssh_fetch_identitylist: invalid format”

OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2 debug1: Connecting to MYIP [MYIP] port 22. debug1: Connection established. debug1: identity file C:\Users\MYUSER/.ssh/id_rsa type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_rsa-cert type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_dsa type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_dsa-cert type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_ecdsa type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_ecdsa-cert type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_ed25519 type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_ed25519-cert type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_xmss type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.3 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x04000000 debug1: Authenticating to MYIP:22 as ‘MYUSER’ debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:nqOH8DL2rmSC/Tysvz6dbZJcJ1i3f05gGsbvgg0G0v8 debug1: Host ‘MYIP’ is known and matches the ECDSA host key. debug1: Found key in C:\Users\MYUSER/.ssh/known_hosts:2 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: pubkey_prepare: ssh_fetch_identitylist: invalid format debug1: Will attempt key: C:\Users\MYUSER/.ssh/id_rsa debug1: Will attempt key: C:\Users\MYUSER/.ssh/id_dsa debug1: Will attempt key: C:\Users\MYUSER/.ssh/id_ecdsa debug1: Will attempt key: C:\Users\MYUSER/.ssh/id_ed25519 debug1: Will attempt key: C:\Users\MYUSER/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: C:\Users\MYUSER/.ssh/id_rsa debug1: Trying private key: C:\Users\MYUSER/.ssh/id_dsa debug1: Trying private key: C:\Users\MYUSER/.ssh/id_ecdsa debug1: Trying private key: C:\Users\MYUSER/.ssh/id_ed25519 debug1: Trying private key: C:\Users\MYUSER/.ssh/id_xmss debug1: Next authentication method: password debug1: read_passphrase: can’t open /dev/tty: No such file or directory

I also tried C:\Users\MYUSER>gpgconf --launch gpg-agent --enable-ssh-support
But that just prints:
gpgconf: Note: ‘–enable-ssh-support’ is not considered an option

gpg --list-secret-keys
properly shows my hardware key and no problem why it would’t work from command line is visible

I am already pretty desperate. How can I make sure that the pgp agent is poperly reading had has applied the settings from my gpg-agent.conf ? How can I use command line applications with it and not just Putty?

Hi,
the next diagnostic step I’d take would be to use the options “verbose” and “log-file C:\somewhere\gpg-agent.log” to see more.

Then add “debug” options to see even more.

Best Regards,
Bernhard

Just to provide an update about this:

  1. The Yubikey documentation is wrong. The config file has to be put into %APPDATA%\gnupg\ on Windows (without any dot).

  2. Even if you put the config file in the right directory as per #1 it still won’t work.
    gpg-connect-agent is completely broken under Windows:
    https://dev.gnupg.org/T4979
    https://dev.gnupg.org/T3883

  3. There is a fix for 2. that wraps the socket in a windows named pipe available here:
    https://github.com/btolfa/pipe-ssh-pageant

And the software that you actually want to use instead of winpgp is this one:
https://github.com/rupor-github/win-gpg-agent
Everything works instantly out of the box.

This works now out of the box with rupor-github/win-gpg-agent
ssh -o IdentityAgent=\.\pipe\openssh-ssh-agent -v USER@IP
or just simply use ssh USER@IP

Summary:
I hope this is useful for somebody else with the same problem. And you don’t waste hours on winpgp not working. I know this is a volunteer effort, but the amount of annoyance this software caused me together with the poor documentation both from the project itself and from yubikey, and the limited ways to introspect what’s actually going on when I just wanted to use something simple like this is actually aggravating.

HI Markus,
thank you very much for your report!

(I’ve linked it now from https://dev.gnupg.org/T3883 so hopefully more people find this.)

Sorry that you had so much trouble getting this to work!

To give some background from my perspective:
Gpg4win and GnuPG do have some paid development resources, but it is not enough to cover all potential use cases. (Right now it is even a lack of people, both g10code and Intevation are looking into filling positions currently: https://gnupg.com/20210802-stellenanzeige.html and https://intevation.de/jobs/20210624-gpg4win-techsupport/ (both in German).

GnuPG is designed in a way that many uses are possible and because of it being Free Software, people get ideas try things. This is a very good thing! However it has the downside that not all features or combinations of components for special use cases are supported equally well. And this is hard to document as some very technical folks get it to work where for others it is almost impossible

Best Regards,
Bernhard