I am using GPG4Win with a OpenPGP V3.3 card.
It works great to authenticate with Putty out of the box.
But If I want to use command line based SSH client it fails and I don’t understand why.
According to this guide
https://developers.yubico.com/PGP/SSH_authentication/Windows.html
I have created the config file %APPDATA%.gnupg\gpg-agent.conf
and added:
enable-putty-support
enable-ssh-support
use-standard-socket
default-cache-ttl 600
max-cache-ttl 7200
Then I restarted the agent with
gpg-connect-agent killagent /bye
gpg-connect-agent /bye
Still it only works in Putty!
What I have also tried is getting the socket with:
gpgconf --list-dirs agent-socket C:\Users\MYUSER\AppData\Roaming\gnupg\S.gpg-agent
and then starting the ssh client with an extra parameter that points to that socket
ssh -o IdentityAgent=C:\Users\MYUSER\AppData\Roaming\gnupg\S.gpg-agent -v MYUSER@MYIP
But then I just get an error “pubkey_prepare: ssh_fetch_identitylist: invalid format”
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2 debug1: Connecting to MYIP [MYIP] port 22. debug1: Connection established. debug1: identity file C:\Users\MYUSER/.ssh/id_rsa type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_rsa-cert type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_dsa type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_dsa-cert type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_ecdsa type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_ecdsa-cert type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_ed25519 type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_ed25519-cert type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_xmss type -1 debug1: identity file C:\Users\MYUSER/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.3 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x04000000 debug1: Authenticating to MYIP:22 as ‘MYUSER’ debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:nqOH8DL2rmSC/Tysvz6dbZJcJ1i3f05gGsbvgg0G0v8 debug1: Host ‘MYIP’ is known and matches the ECDSA host key. debug1: Found key in C:\Users\MYUSER/.ssh/known_hosts:2 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: pubkey_prepare: ssh_fetch_identitylist: invalid format debug1: Will attempt key: C:\Users\MYUSER/.ssh/id_rsa debug1: Will attempt key: C:\Users\MYUSER/.ssh/id_dsa debug1: Will attempt key: C:\Users\MYUSER/.ssh/id_ecdsa debug1: Will attempt key: C:\Users\MYUSER/.ssh/id_ed25519 debug1: Will attempt key: C:\Users\MYUSER/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: C:\Users\MYUSER/.ssh/id_rsa debug1: Trying private key: C:\Users\MYUSER/.ssh/id_dsa debug1: Trying private key: C:\Users\MYUSER/.ssh/id_ecdsa debug1: Trying private key: C:\Users\MYUSER/.ssh/id_ed25519 debug1: Trying private key: C:\Users\MYUSER/.ssh/id_xmss debug1: Next authentication method: password debug1: read_passphrase: can’t open /dev/tty: No such file or directory
I also tried C:\Users\MYUSER>gpgconf --launch gpg-agent --enable-ssh-support
But that just prints:
gpgconf: Note: ‘–enable-ssh-support’ is not considered an option
gpg --list-secret-keys
properly shows my hardware key and no problem why it would’t work from command line is visible
I am already pretty desperate. How can I make sure that the pgp agent is poperly reading had has applied the settings from my gpg-agent.conf ? How can I use command line applications with it and not just Putty?