Question on Putty and gpg-agent

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Question on Putty and gpg-agent

Antony Prince
My old key is expiring at the beginning of next month, so I've generated
a new set of keys. Dropped down to 2048 from 4096 RSA since 4096 seemed
a bit of overkill and have the master key in a single location. That's a
different discussion. Anyway, using my new Authentication key on Linux
with SSH seems to be going okay. A few issues with ssh-agent being
present, etc. All that seems to be working okay now. The issue I'm
having is using Putty and gnupg on Windows. The versions are:

OS: Windows 7 SP1 x64
Putty: 0.63

C:\Users\antony>gpg --version
gpg (GnuPG) 2.1.20
libgcrypt 1.7.6
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/antony/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

C:\Users\antony>gpg-connect-agent
> GETINFO version
D 2.1.20
OK
> bye
OK closing connection

The following options are in
"C:\Users\antony\AppData\Roaming\gnupg\gpg-agent.conf":

default-cache-ttl 300
max-cache-ttl 3000
enable-putty-support
disable-scdaemon
daemon

I have the keygrip listed in sshcontrol (the file was not created on its
own, I created it manually).

When I try to connect to the server with putty using the "Attempt
authentication using Pageant" option, I just get "Disconnected: No
supported authentication methods available. (server sent: publickey)". I
was of the understanding that gpg-agent would act as a replacement for
Pageant in this mode.

I have the public key in the ~/.ssh/authorized_keys file and can log in
successfully using ssh and gpg-agent on Linux. Before I added
"disable-scdaemon", gpg-agent would complain that it couldn't find the
key on the card (I've never had one). Since adding that option, that
error has gone away, but it still does not work and gpg-agent doesn't
provide any helpful output. The keygrip named file exists in
private-keys-v1.d, so the key is there. Any help in further
troubleshooting the issue would be greatly appreciated. I'm sorry if
this has been answered before. I looked through the archives and googled
around a bit, but couldn't find anything to point me in the right direction.

--
Regards,
Antony


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (565 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question on Putty and gpg-agent

Jerry-146
On Wed, 12 Apr 2017 16:42:57 -0400, Antony Prince stated:

>My old key is expiring at the beginning of next month, so I've
>generated a new set of keys. Dropped down to 2048 from 4096 RSA since
>4096 seemed a bit of overkill and have the master key in a single
>location. That's a different discussion. Anyway, using my new
>Authentication key on Linux with SSH seems to be going okay. A few
>issues with ssh-agent being present, etc. All that seems to be working
>okay now. The issue I'm having is using Putty and gnupg on Windows.
>The versions are:
>
>OS: Windows 7 SP1 x64
>Putty: 0.63
>
>C:\Users\antony>gpg --version  
>gpg (GnuPG) 2.1.20
>libgcrypt 1.7.6
>Copyright (C) 2017 Free Software Foundation, Inc.
>License GPLv3+: GNU GPL version 3 or later
><https://gnu.org/licenses/gpl.html>
>This is free software: you are free to change and redistribute it.
>There is NO WARRANTY, to the extent permitted by law.
>
>Home: C:/Users/antony/AppData/Roaming/gnupg
>Supported algorithms:
>Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
>Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
>        CAMELLIA128, CAMELLIA192, CAMELLIA256
>Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
>Compression: Uncompressed, ZIP, ZLIB, BZIP2
>
>C:\Users\antony>gpg-connect-agent
>> GETINFO version  
>D 2.1.20
>OK
>> bye  
>OK closing connection
>
>The following options are in
>"C:\Users\antony\AppData\Roaming\gnupg\gpg-agent.conf":
>
>default-cache-ttl 300
>max-cache-ttl 3000
>enable-putty-support
>disable-scdaemon
>daemon
>
>I have the keygrip listed in sshcontrol (the file was not created on
>its own, I created it manually).
>
>When I try to connect to the server with putty using the "Attempt
>authentication using Pageant" option, I just get "Disconnected: No
>supported authentication methods available. (server sent: publickey)".
>I was of the understanding that gpg-agent would act as a replacement
>for Pageant in this mode.
>
>I have the public key in the ~/.ssh/authorized_keys file and can log in
>successfully using ssh and gpg-agent on Linux. Before I added
>"disable-scdaemon", gpg-agent would complain that it couldn't find the
>key on the card (I've never had one). Since adding that option, that
>error has gone away, but it still does not work and gpg-agent doesn't
>provide any helpful output. The keygrip named file exists in
>private-keys-v1.d, so the key is there. Any help in further
>troubleshooting the issue would be greatly appreciated. I'm sorry if
>this has been answered before. I looked through the archives and
>googled around a bit, but couldn't find anything to point me in the
>right direction.

That is a very old version of Putty.

Latest news

2017-02-21 PuTTY 0.68 released, containing ECC, a 64-bit build, and
security fixes

PuTTY 0.68, released today, supports elliptic-curve cryptography for
host keys, user authentication keys, and key exchange. Also, for the
first time, it comes in a 64-bit Windows version.

0.68 also contains some security fixes: a vulnerability in agent
forwarding is fixed, and Windows DLL hijacking should no longer be
possible.

--
Jerry

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question on Putty and gpg-agent

Antony Prince
On 4/13/2017 7:06 AM, Jerry wrote:
> On Wed, 12 Apr 2017 16:42:57 -0400, Antony Prince stated:
>

...

>>
>> OS: Windows 7 SP1 x64
>> Putty: 0.63
>>

...

>> When I try to connect to the server with putty using the "Attempt
>> authentication using Pageant" option, I just get "Disconnected: No
>> supported authentication methods available. (server sent: publickey)".
>> I was of the understanding that gpg-agent would act as a replacement
>> for Pageant in this mode.
>>

...

>
> That is a very old version of Putty.
>

I realized that immediately after sending the mail to the list. I
upgraded to 0.68 and tried again with the same results. From what I can
tell, the agent is receiving the request for the key, but not serving
it. Before I disabled scdaemon, gpg-agent would complain that it
couldn't find the key on the card meaning that the agent was receiving
the request. Why it isn't serving the key is the question, I believe.

--
Antony


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (565 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question on Putty and gpg-agent

Antony Prince
On 4/13/2017 1:40 PM, Antony Prince wrote:
> On 4/13/2017 7:06 AM, Jerry wrote:
>> On Wed, 12 Apr 2017 16:42:57 -0400, Antony Prince stated:
>>
...

>>> When I try to connect to the server with putty using the "Attempt
>>> authentication using Pageant" option, I just get "Disconnected: No
>>> supported authentication methods available. (server sent: publickey)".
>>> I was of the understanding that gpg-agent would act as a replacement
>>> for Pageant in this mode.
>>>
>
> ...
>
>>
>> That is a very old version of Putty.
>>
>
> I realized that immediately after sending the mail to the list. I
> upgraded to 0.68 and tried again with the same results. From what I can
> tell, the agent is receiving the request for the key, but not serving
> it. Before I disabled scdaemon, gpg-agent would complain that it
> couldn't find the key on the card meaning that the agent was receiving
> the request. Why it isn't serving the key is the question, I believe.
>
Well, I can confirm that the agent is receiving the request, but I can't
figure out why it isn't sending a response that PUTTY likes. I started
gpg-agent using "gpg-agent -vv --daemon --enable-putty-support
--debug-level guru". The following is what I get in the console when
attempting to connect to a server with putty:

gpg-agent[5436]: DBG: ssh map file 'PageantRequest00001bac'
gpg-agent[5436]: DBG: ssh map handle 0x0000014c
gpg-agent[5436]: DBG:           my sid:
'S-1-5-21-1798341051-2053502947-23644474
9-1000'
gpg-agent[5436]: DBG: ssh map file sid:
'S-1-5-21-1798341051-2053502947-23644474
9-1000'
gpg-agent[5436]: DBG: ssh IPC buffer at 0x003d0000
gpg-agent[5436]: ssh request handler for request_identities (11) started
gpg-agent[5436]: ssh request handler for request_identities (11) ready
gpg-agent[5436]: sending ssh response of length 5
gpg-agent[5436]: DBG: chan_0x0000014c -> OK Pleased to meet you
gpg-agent[5436]: DBG: chan_0x0000014c <- GETINFO pid
gpg-agent[5436]: DBG: chan_0x0000014c -> D 5436
gpg-agent[5436]: DBG: chan_0x0000014c -> OK
gpg-agent[5436]: socket is still served by this server
gpg-agent[5436]: DBG: chan_0x0000014c <- BYE
gpg-agent[5436]: DBG: chan_0x0000014c -> OK closing connection

Everything seems to be configured as it should be as far as I can tell,
but I can't figure it out. If nobody has any ideas, I'll drop the thread
here.




_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (565 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question on Putty and gpg-agent

Peter Lebbing
In reply to this post by Antony Prince
On 12/04/17 22:42, Antony Prince wrote:
> Before I added
> "disable-scdaemon", gpg-agent would complain that it couldn't find the
> key on the card (I've never had one). Since adding that option, that
> error has gone away, but it still does not work and gpg-agent doesn't
> provide any helpful output.

I don't think you're telling gpg-agent "that key is not on a card".
You're telling it "you can't work with cards". Consequently, the little
guy or girl living in the code of gpg-agent goes "Hmmm, this is a key on
a card. I can't work with a card. I can't work with this key." I think
you were hoping it would think "let's look elsewhere", but it likely
will not do so.

It is a decidedly different behaviour than gpg-agent on Linux. There, it
will check if a smartcard is currently connected and if so, offer such a
key for authentication. For SSH, it will *never ask* to insert a card!
It'll just skip it outright. So it seems gpg-agent is doing entirely
different things on Windows. Does it even support on-disk authentication
keys or is it smartcard-only? I don't know, I haven't used Windows for
anything other than games for very long. I did read the release notes
when Putty support was introduced, and it only discussed smartcard keys,
but that isn't conclusive proof it only supports smartcard keys.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question on Putty and gpg-agent

Peter Lebbing
On 30/04/17 20:41, Peter Lebbing wrote:
> It is a decidedly different behaviour than gpg-agent on Linux. There, it
> will check if a smartcard is currently connected and if so, offer such a
> key for authentication. For SSH, it will *never ask* to insert a card!
> It'll just skip it outright.

It turns out this isn't true. If you add the keygrip to sshcontrol, it
will ask for the card. However, I hadn't added my smartcard keygrip to
sshcontrol because it is unnecessary.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Loading...