Re: Subkeys export to Security Token fails: Secret key available.
I have a backup of any key. Am 8. August 2020 02:05:44 MESZ schrieb "Ángel" : >On 2020-08-07 at 08:33 +0200, Thomas Schneider wrote: >> All subkeys are marked as Stub which is correct because the keys have >> been exported before. >> However now the keys don't exist anymore on the keycard. >> >> Can you please advise how to fix this issue? >> >> THX > >You had some "full" keys (public+private part). Then "moved" them to >the >Yubikey, so the private part was now in the yubikey, and locally you >left just a stub saying "go look at yubikey #1234 for this key". > >Do you have a backup of the full, original key? > > >Cheers > >___ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Win 11 + Smarcard: SSH public key authentication fails
Hello, in the past I used Windows 10 + Smartcard + MobaXterm for SSH public key authentication w/o problems incl. SSH forward. Now I have a new device with Windows 11, and I want to use the same Smartcard for SSH public key authentication using Win 11 (native) SSH client. Therfore I installed - Gpg4win 4.2 (latest version) - PowerShell 7 (latest version) - PuTTY 0.8 (latest version) and configured gpg.conf and gpg-agent.conf. I don't intend to install git BASH assuming PowerShell 7 provides a working shell. I can run gpg --card-status and ssh-add -L w/o problems, means I can display all information stored on my Smartcard and the SSH public key (key ends with "cardno:0005_80CE". However when I try to connect to a SSH server public key authentication fails. I found this statement when searching for a solution: "[...] The ssh-pageant provides the same kind of functionality to ssh but, as opposed to ssh-agent, does speak the PuTTY protocol. This enables ssh to speak with the gpg-agent via the ssh-pageant.[...]" Can you please advise how to fix this issue?___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Win 11 + Smarcard: SSH public key authentication fails
Hello, accidently I identified the root cause for this issue. I executed this SSH command: ssh I didn't use ssh @ on purpose because I'm used to use the same user on remoteserver as on client. After executing SSH command ssh @ gpg-agent works as expected and I can login with public key. One may consider this as a bug, however I'm happy that I found a solution for my issue. Now I can proceed to next issue: SSH forward Thanks for your great support! Thomas Am 2024-01-16 18:50, schrieb Werner Koch: On Mon, 15 Jan 2024 20:03, Thomas Schneider said: And ssh-pageant is not available for Win 11, but pageant is included in PuTTY. I didn't implemented or tested the newer --enable-w32-openssh-support so I don't have first have experience. However, Windows comes with an sssh server and an client, which are slighly modified OpenSSH versions. Thus you should be able to simply run c:\ ssh -v snow...@hawaii.nsa.gov The ssh diagnostics enabled with -v should show you what's going on and whether ssh tries to use an ssh-agent implementation. You need to start gpg-agent first, of course: gpgconf --launch gpg-agent or run any gpg command or kleopatra, etc.) Could you please share some details of your working setup (scripts connecting from Win 10/11 to other servers using SSH). Okay, let's try it: I just installed a gpg4win 4.3.0-beta and tried it on my testbox (Windows 10.0 build 19045) using my regular token: debug1: Next authentication method: publickey debug1: Offering public key: cardno:FFFE_xxx ED25519 SHA256:tXYM7ne2kI+ZUw7jGii9LBhoz8uB0ucKv28OSSW6a/g agent debug1: Server accepts key: cardno:FFFE_xxx ED25519 SHA256:tXYM7ne2kI+ZUw7jGii9LBhoz8uB0ucKv28OSSW6a/g agent debug1: Authentication succeeded (publickey). Authenticated to ftp.gnupg.org ([217.69.76.55]:22). But that should also work with your gpg4win version. the native client you need to add *enable-w32-openssh-support* to your Oops, the option is actually *enable-win32-openssh-support*. I try to get it into the Kleopatra config dialog with gnupg 2.4.4 - right now kleopatra can only enable the Unix style ssh support. Shalom-Salam, Werner___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
No SSH public key authentication using smartcard
Hello, I'm trying to configure a solution for this use case: SSH SSH Client > Jumphost > Server (Windows 11) (Linux) (Linux) I connect a Nitrokey security-token (that is comparable to Yubikey) with OpenPGP keys to my client. And I want to use this Nitrokey for SSH login to remote servers. For this I installed GPG4Win on my client and configured file gpg-agent.conf: enable-ssh-support To Enable support for PuTTY enable-putty-support To Enable support for the native Microsoft OpenSSH binaries (requires gpg 2.4.0 / Gpg4win 4.1.0 or higher) enable-win32-openssh-support use-standard-socket default-cache-ttl 600 max-cache-ttl 7200 Then I (re-) start the gpg-agent and try to SSH into the Jumphost using command ssh in Windows PowerShell. Here I get a popup window where I must enter the PIN previously set on Nitrokey. After this I'm connected to the jumphost (Linux). Now I want to connect to the server using command ssh , however I need to enter a password. This means public key authentication fails. And I think this fails because SSH agent forwarding is not working. Can you please advise how to SSH agent forwarding in my setup correctly? THX Thomas ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: No SSH public key authentication using smartcard
Hello Stephan, thanks for your reply. When you say I should modify ~/.ssh/config, where is this file? On jumphost? Actually I have a working setup on Windows 10, but here I use another terminal emulator: MobaXterm. And in the settings of MobaXterm I enabled SSH forwarding. As of now I don't want to continue using MobaXterm on Windows 11, but using Windows Terminal. THX Am 25.11.23 um 12:30 schrieb Stephan Verbücheln via Gnupg-users: Coincidentally, I have a similar setup. Fortunately, you do *not* need Agent Forwarding for authentication via jump hosts. The entry for your host (in “~/.ssh/config”) for this host should look something like this: Host myalias HostName myserver.com ProxyJump jumpserver.net IdentityAgent %d/.gnupg/S.gpg-agent.ssh There may be some Windows-specific pitfalls. Perhaps you have to be careful with the line breaks (Unix versus Windows convention) in the configuration files. Regards Stephan ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: No SSH public key authentication using smartcard
Hello Stephan, thanks for your reply. When you say I should modify ~/.ssh/config, where is this file? On jumphost? Actually I have a working setup on Windows 10, but here I use another terminal emulator: MobaXterm. And in the settings of MobaXterm I enabled SSH forwarding. As of now I don't want to continue using MobaXterm on Windows 11, but using Windows Terminal. Please not that I have not installed git for windows [1] that includes tool "Git BASH"; I don't think that this additional terminal is required to use SSH. I can run ssh-add.exe -L in Windows PowerShell and get the correct SSH public key fetched from secure card. But once connected to jumphost, all SSH relevant information is unavailable. THX On 2023-11-25 12:30, Stephan Verbücheln via Gnupg-users wrote: Coincidentally, I have a similar setup. Fortunately, you do *not* need Agent Forwarding for authentication via jump hosts. The entry for your host (in "~/.ssh/config") for this host should look something like this: Host myalias HostName myserver.com ProxyJump jumpserver.net IdentityAgent %d/.gnupg/S.gpg-agent.ssh There may be some Windows-specific pitfalls. Perhaps you have to be careful with the line breaks (Unix versus Windows convention) in the configuration files. Regards Stephan ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users Links: -- [1] https://gitforwindows.org/___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: No SSH public key authentication using smartcard
Hi, this is exactly what I thought. However, there's no solution for it. Let me repeat my comments posted previously to get an overview what is working... Actually I have a working setup on Windows 10, but here I use another terminal emulator: MobaXterm. And in the settings of MobaXterm I enabled SSH forwarding. As of now I don't want to continue using MobaXterm on Windows 11, but using Windows Terminal. I can run ssh-add.exe -L in Windows PowerShell and get the correct SSH public key fetched from secure card. THX Am 28.11.23 um 03:53 schrieb Jacob Bachmeyer: Thomas via Gnupg-users wrote: Hello Stephan, thanks for your reply. When you say I should modify ~/.ssh/config, where is this file? On jumphost? You need to configure SSH agent forwarding on your client, which will provide access to your local SSH agent at the jumphost via the SSH connection between your client and the jumphost. Since you are using a Windows client, ~/.ssh/config may not be relevant to your configuration. -- Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users