You are not logged in.

Pages: 1

#1 2015-05-07 08:18:45

c0da
Member
Registered: 2009-08-24
Posts: 12

[SOLVED] Using GPG keys for SSH authentication

For various reasons i would like to use my GPG key for ssh authentication. I've configured my system according to http://www.programmierecke.net/howto/gpg-ssh.html with some differences. The steps i've taken:

1. DSA key creation. 2048 bits long

2. Instead of creating separate authentication subkey, i've used existing one. I've selected option 13 of addkey dialog when editing keys with gpg --expert -edit-key USERID. My current keyring is in the following state:

$ gpg --expert --edit-key USERID 
gpg (GnuPG) 2.1.3; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  dsa2048/142E5B91
     created: 2015-04-12  expires: 2016-09-05  usage: SC  
     trust: ultimate      validity: ultimate
sub  elg2048/5AED4D49
     created: 2015-04-12  expires: 2016-09-05  usage: E   
sub  dsa2048/F1FB098D
     created: 2015-05-07  expires: 2016-09-30  usage: A   
[ultimate] (1). USERID

3. I've added options to the ~/.gnupg/gpg.conf and ~/.gnupg/gpg-agent.conf

$ grep use-agent ~/.gnupg/gpg.conf
use-agent

$ grep enable-ssh-support ~/.gnupg/gpg-agent.conf 
enable-ssh-support

4. I've added keygrip of the key F1FB098D to ~/.gnupg/sshcontrol

$ gpg -K --with-keygrip
/home/mob/.gnupg/pubring.kbx
----------------------------
sec   dsa2048/142E5B91 2015-04-12 [expires: 2016-09-05]
      Keygrip = 91880564C70B2BC5FB4C83D8A0E0D708498150AB
uid       [ultimate] M.Bakhterev <mob@k.imm.uran.ru>
ssb   elg2048/5AED4D49 2015-04-12 [expires: 2016-09-05]
      Keygrip = 8D356D58565CDBF2912A97AAA5D7B5BFF04BBC8D
ssb   dsa2048/F1FB098D 2015-05-07 [expires: 2016-09-30]
      Keygrip = 91880564C70B2BC5FB4C83D8A0E0D708498150AB

mob@kite ~/.gnupg
$ grep 91880564C70B2BC5FB4C83D8A0E0D708498150AB ~/.gnupg/sshcontrol 
91880564C70B2BC5FB4C83D8A0E0D708498150AB

4. Then i've started gpg-agent, and checked the SSH environment variables, and that gpg-agent knew the key

$ eval $(gpg-agent --daemon) && (set | grep SSH) && ssh-add -l
SSH_AUTH_SOCK=/home/mob/.gnupg/S.gpg-agent.ssh
_='SSH_AUTH_SOCK;'
error fetching identities for protocol 1: agent refused operation
2048 SHA256:UCWCEQKJH0CpBeFktAqG6DQnORuB1UoA/ef+9U29fk8 (none) (DSA)

5. Then, i've added public key, as dumped by ssh-add -L to the remote ~/.ssh/authorized-keys file

$ ssh-add -L | ssh REMOTE-LOGIN tee -a .ssh/authorized_keys

6. Then i've allowed only public key ssh authentication on the remote host and try to login, and get Permission denied (i've left only (as i think) relevant part of the whole log)

$ ssh REMOTE-LOGIN -vv
...
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering DSA public key: (none)
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 829
debug2: input_userauth_pk_ok: fp SHA256:UCWCEQKJH0CpBeFktAqG6DQnORuB1UoA/ef+9U29fk8
debug1: Trying private key: /home/mob/.ssh/id_rsa
debug1: Trying private key: /home/mob/.ssh/id_dsa
debug1: Trying private key: /home/mob/.ssh/id_ecdsa
debug1: Trying private key: /home/mob/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey)

As far as i understand ssh has found the key and offered it to the server. And server has accepted it. But... Something then went wrong. Ok. Here are messages from ssh daemon:

May 07 13:10:24 k sshd[28459]: debug1: Client protocol version 2.0; client software version OpenSSH_6.8
May 07 13:10:24 k sshd[28459]: debug1: match: OpenSSH_6.8 pat OpenSSH* compat 0x04000000
May 07 13:10:24 k sshd[28459]: debug1: Enabling compatibility mode for protocol 2.0
May 07 13:10:24 k sshd[28459]: debug1: Local version string SSH-2.0-OpenSSH_6.8
May 07 13:10:24 k sshd[28459]: debug1: permanently_set_uid: 99/99 [preauth]
May 07 13:10:24 k sshd[28459]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
May 07 13:10:24 k sshd[28459]: debug1: SSH2_MSG_KEXINIT sent [preauth]
May 07 13:10:24 k sshd[28459]: debug1: SSH2_MSG_KEXINIT received [preauth]
May 07 13:10:24 k sshd[28459]: debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com zlib@openssh.com [preauth]
May 07 13:10:24 k sshd[28459]: debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com zlib@openssh.com [preauth]
May 07 13:10:24 k sshd[28459]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
May 07 13:10:24 k sshd[28459]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
May 07 13:10:24 k sshd[28459]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
May 07 13:10:24 k sshd[28459]: debug1: SSH2_MSG_NEWKEYS received [preauth]
May 07 13:10:24 k sshd[28459]: debug1: KEX done [preauth]
May 07 13:10:24 k sshd[28459]: debug1: userauth-request for user maintain service ssh-connection method none [preauth]
May 07 13:10:24 k sshd[28459]: debug1: attempt 0 failures 0 [preauth]
May 07 13:10:24 k sshd[28459]: debug1: PAM: initializing for "USER"
May 07 13:10:24 k sshd[28459]: debug1: PAM: setting PAM_RHOST to "193.104.128.155"
May 07 13:10:24 k sshd[28459]: debug1: PAM: setting PAM_TTY to "ssh"
May 07 13:10:24 k sshd[28459]: debug1: userauth-request for user USER service ssh-connection method publickey [preauth]
May 07 13:10:24 k sshd[28459]: debug1: attempt 1 failures 0 [preauth]
May 07 13:10:24 k sshd[28459]: debug1: test whether pkalg/pkblob are acceptable [preauth]
May 07 13:10:24 k sshd[28459]: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
May 07 13:10:24 k sshd[28459]: debug1: trying public key file /USER/.ssh/authorized_keys
May 07 13:10:24 k sshd[28459]: debug1: fd 5 clearing O_NONBLOCK
May 07 13:10:24 k sshd[28459]: debug1: matching key found: file /USER/.ssh/authorized_keys, line 3 DSA SHA256:UCWCEQKJH0CpBeFktAqG6DQnORuB1UoA/ef+9U29fk8
May 07 13:10:24 k sshd[28459]: debug1: restore_uid: 0/0
May 07 13:10:24 k sshd[28459]: Postponed publickey for USER from 193.104.128.155 port 54673 ssh2 [preauth]
May 07 13:10:24 k sshd[28459]: Connection closed by 193.104.128.155 [preauth]
May 07 13:10:24 k sshd[28459]: debug1: do_cleanup [preauth]
May 07 13:10:24 k sshd[28459]: debug1: monitor_read_log: child log fd closed
May 07 13:10:24 k sshd[28459]: debug1: do_cleanup
May 07 13:10:24 k sshd[28459]: debug1: PAM: cleanup
May 07 13:10:24 k sshd[28459]: debug1: Killing privsep child 28460

As to my understanding, the key was found and it was successfully matched, but then client has just dropped connection. Why? What is wrong with my setup?

Thanks in advance for any help.

Last edited by c0da (2015-05-09 08:13:37)

Offline

#2 2015-05-09 08:13:16

c0da
Member
Registered: 2009-08-24
Posts: 12

Re: [SOLVED] Using GPG keys for SSH authentication

The problem was in the DSA key size. 2048 bits is too long for GPG/SSH combination.

Offline

Pages: 1

Board footer

Powered by FluxBB