1

I have a Yubikey which has ed25519 certificates loaded onto it. One of these is an authentication certificate. I'm able to export the sha has of this by running gpg --export-ssh-key {key_id}, and running gpg-connect-agent readkey {keygrip} seems to export the public key as I would expect so I think it's running properly. I've enabled verbose debugging and logging in the gpg agent but I'm not seeing much of anything there, even when I run commands from the connect agent.

I have the windows openbsd ssh agent running, and it doesn't seem to want to communicate with the gpg agent and I can't get any debug information out of it. I am at a dead end here and don't know where to go, I have followed this guide https://developers.yubico.com/PGP/SSH_authentication/Windows.html and have tried several gpg versions but I'm starting to think this may be an issue with the windows ssh agent.

Improve this question

2 Answers 2

Reset to default
2

windows openbsd ssh agent running, and it doesn't seem to want to communicate with the gpg agent

That's normal; ssh-agent never communicates with gpg-agent at all.

The way it's supposed to work is that gpg-agent pretends to be ssh-agent – it exports a separate socket that is compatible with the ssh-agent protocol, and your $SSH_AUTH_SOCK tells the ssh client to directly speak with gpg-agent (emulating ssh-agent), while the actual ssh-agent process remains completely unused.

But current GnuPG versions only support doing this on Unix-like systems and not on Windows. Support1 for emulating the Windows OpenSSH ssh-agent was added literally 3 days ago at the time of writing this post, and will be available in the next GnuPG release. (Since the most recent release was also 3 days ago, you'll have to wait a few months for the next one.)

I would suggest a more direct approach: obtain the Yubikey PKCS#11 module (libykcs11.dll) from yubico-piv-tool and configure it in your ~/.ssh/config as PKCS11Provider. This lets the OpenSSH client directly talk to the key's PIV applet and removes the need for either gpg-agent or ssh-agent.

1 Because Windows historically lacked AF_UNIX sockets (until 2016), it's kind of a mess and different programs choose different alternatives – e.g. the native Microsoft port of OpenSSH uses named pipes (which are similar to, yet not exactly like, AF_UNIX sockets) whereas the Cygwin port of OpenSSH uses loopback TCP, and so on.

Adding to the complexity is that Microsoft's OpenSSH port – for unknown reasons – uses a system-wide ssh-agent that holds all users' keys (distinguishing them by caller's UID), unlike the regular approach of each user having their own ssh-agent instance. This might actually be a problem for GnuPG, whose gpg-agent isn't designed to work like that and just assumes that all clients are the same user. (Hopefully you only have one user account on your computer!)

Improve this answer
4
  • Thank you very much for your response, this helps a lot. I think I read that the windows Open SSH client is getting fido support or something? I am the only user on my computer. So as I understand, I should not be running the windows ssh agent if I'm trying to use my GPG keys? Part of the confusion is I was using this github.com/rupor-github/win-gpg-agent and when that was running, gpg-add -l started to list both my GPG and PIV keys but I had no idea how it was doing that. Additionally, the hash on the gpg key was different from what gpg itself was giving me.
    – Desultory
    Commented Oct 17, 2022 at 12:17
  • That's probably normal, as GnuPG's scdaemon gained support for PIV smartcards a while ago (don't forget that GnuPG also does S/MIME via gpgsm, it's not just PGP). On a Yubikey it'll talk to both PGP and PIV smartcard applets if they're available. (And the "keygrip" it shows is calculated against the public key's gcrypt internal format – not against the whole certificate, either – so it's likely to be different from a standard fingerprint.)
    – grawity_u1686
    Commented Oct 17, 2022 at 12:42
  • If you want SSH to use keys that are stored in the Yubikey's OpenPGP applet, then you need gpg-agent to emulate an ssh agent (and the real ssh-agent needs to be disabled). On the other hand, if you want to SSH using keys from the PIV applet, then replacing ssh-agent seems like needless complexity and the same could be done easier via PKCS#11 support.
    – grawity_u1686
    Commented Oct 17, 2022 at 12:43
  • Thanks for the info, I've been working on this and still can't get it to work. I'm trying to use PIV or FIDO and for starters, it's not clear how I'm supposed to get the hash of my PIV cert for SSH auth. I'm able to see some RSA key when I run ssh-keygen -D libykcs11.dll -e which doesn't make sense to me. The Yubikey PIV ssh gude also seems to want you to create a new ssh certificate and import it into the same slot? Maybe I'm missing something but doesn't this overwrite the key? developers.yubico.com/PIV/Guides/PIV_Walk-Through.html the documentation doesn't explain it well
    – Desultory
    Commented Oct 17, 2022 at 14:36
4

The changes mentioned in the currently accepted answer are now part of GPG 2.40.0 and Gpg4Win 4.1.0. It's not yet documented, and rather complicated, but it can be done. Tested using a GPG authentication subkey loaded onto a YubiKey (which is probably the worst case scenario).

Assuming Gpg4Win is installed and on the PATH, and Windows OpenSSH is to be used:

  1. Navigate to the directory %APPDATA%\gnupg\gpg-agent.conf or create the file, and set the following config:
enable-ssh-support
enable-win32-openssh-support
  1. Hit Windows+R and enter services.msc, then scroll down to "OpenSSH Authentication Agent". This default agent will be replaced by GPG, so double-click it, change "Startup Type" to Disabled, and click "Stop". Click Ok and close the windows. (pulled from 1Password configuration)
  2. Open the directory %HOME%\.ssh and paste the public SSH key file, which you can retrieve with gpg --export-ssh-key <key_id>.
  3. Create a shortcut to start the gpg-agent on boot. Place the shortcut in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup; the target should be the below:
"C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe" /bye
  1. Restart the gpg-agent:
gpg-connect-agent killagent /bye
gpg-connect-agent /bye
  1. Configure SSH and GPG as per usual: setup .ssh\config, add GPG keys, etc.

If you're using Git for Windows, a few extra changes are needed. It packages its own installations of SSH (not the Windows client) and GPG (which as of 2023-02-07, is not running the latest version).

  • Open your gitconfig (either %HOME%\.gitconfig or within a repo)
    • Set GPG to use Gpg4Win:
    git config gpg.program "C:/Program Files (x86)/GnuPG/bin/gpg.exe"
    • Set SSH to use the Windows OpenSSH client:
    git config core.sshCommand "C:/Windows/System32/OpenSSH/ssh.exe"
  • Open %HOME%\.bash_profile or create the file, and set the GPG home directory by appending this to the end:
export GNUPGHOME=$APPDATA/gnupg

Set any GPG signing or connection keys, then restart the gpg-agent as in step 5.

Improve this answer
2
  • 1
    This works perfectly and should be the accepted answer.
    – nsg
    Commented Jun 11, 2023 at 22:57
  • Hi, in my case it worked the same but instead of step 3 I added my keygrip into the sshcontrol file
    – Joan Marcè i Igual
    Commented Oct 2, 2023 at 14:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .