ledger-agent <hostname> -vs fails to sign key

[erjoalgo]

I'm invoking ledger-agent <identity> -vs in order to spawn a shell in which I later attempt to ssh into a host that has been configured to accept <identity> as an authorized key.

While I am able to start the shell, the attempt to ssh fails with permission denied. After adding more verbose logging to ssh, it appears that the server does accept the key, but the client fails to sign it:

debug1: Server accepts key: <ssh://[email protected]|nist256p1> ECDSA SHA256:fgl+PN+L9wd5IYZAqGk3xMC4fgI3pIhwTRkUdandyWw agent
debug3: sign_and_send_pubkey: using [email protected] with ECDSA SHA256:fgl+PN+L9wd5IYZAqGk3xMC4fgI3pIhwTRkUdandyWw
debug3: sign_and_send_pubkey: signing using ecdsa-sha2-nistp256 SHA256:fgl+PN+L9wd5IYZAqGk3xMC4fgI3pIhwTRkUdandyWw
sign_and_send_pubkey: signing failed for ECDSA "<ssh://[email protected]|nist256p1>" from agent: communication with agent failed
debug1: Offering public key: /home/ealfonso/.ssh/id_rsa RSA SHA256:/rlz6FKkzEumAiQ0saXGOI6zO9owbyr3QxiSX22GyNM
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey

Around the same time, I see that this badly-formatted python stacktrace pops up somewhere in my terminal:

Traceback (most recent call last):
 File "/home/ealfonso/.local/lib/python3.11/site-packages/libagent/device/ledger.py", line 134, in sign
                         result = bytearray(self.conn.exchange(bytes(apdu)))
                                                                                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                                                                                                    File "/home/ealfonso/.local/lib/python3.11/site-packages/ledgerblue/comm.py", line 157, in exchange
                                                                                                                                                                                                                                           raise CommException("Invalid status %04x (%s)" % (sw, possibleCause), sw, response)
                                                ledgerblue.commException.CommException: Exception : Invalid status 6a80 (Unknown reason)

                                                                                                                                        During handling of the above exception, another exception occurred:

                                                                                                                                                                                                           Traceback (most recent call last):
                                                                                                                                                                                                                                               File "/home/ealfonso/.local/lib/python3.11/site-packages/libagent/server.py", line 95, in handle_connection
                                                                                reply = handler.handle(msg=msg)
                                                                                                                           ^^^^^^^^^^^^^^^^^^^^^^^
                                                                                                                                                    File "/home/ealfonso/.local/lib/python3.11/site-packages/libagent/ssh/protocol.py", line 106, in handle
                                                                                                                                                                                                                                                               reply = method(buf=buf)
                    ^^^^^^^^^^^^^^^
                                     File "/home/ealfonso/.local/lib/python3.11/site-packages/libagent/ssh/protocol.py", line 147, in sign_message
                                                                                                                                                      signature = self.conn.sign(blob=blob, identity=key['identity'])
                                                                                                                                                                                                                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
            File "/home/ealfonso/.local/lib/python3.11/site-packages/libagent/ssh/__init__.py", line 234, in sign
                                                                                                                     return conn.sign_ssh_challenge(blob=blob, identity=identity)
                                                                                                                                                                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                                                                                                                                                                                                                   File "/home/ealfonso/.local/lib/python3.11/site-packages/libagent/ssh/client.py", line 52, in sign_ssh_challenge
                                                                                         return self.device.sign(blob=blob, identity=identity)
                                                                                                                                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                                                                                                                                                                         File "/home/ealfonso/.local/lib/python3.11/site-packages/libagent/device/ledger.py", line 136, in sign
                                     raise interface.DeviceError(
debug3: receive packet: type 51                                  libagent.device.interface.DeviceError: Error (Exception : Invalid status 6a80 (Unknown reason)) communicating with LedgerNanoS

Full log:

OpenSSH_9.4p1, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /home/ealfonso/.ssh/config
debug1: /home/ealfonso/.ssh/config line 2: include ~/private-data/configs/ssh-config matched no files
debug2: checking match for 'host *' host asus.local originally asus.local
debug3: /home/ealfonso/.ssh/config line 24: matched 'host "asus.local"' 
debug2: match found
debug3: vdollar_percent_expand: expand ${RANDOM} -> '39172'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/ealfonso/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/ealfonso/.ssh/known_hosts2'
debug2: resolving "asus.local" port 22
debug3: resolve_host: lookup asus.local:22
debug3: ssh_connect_direct: entering
debug1: Connecting to asus.local [192.168.1.204] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /home/ealfonso/.ssh/id_rsa type 0
debug1: identity file /home/ealfonso/.ssh/id_rsa-cert type -1
debug1: identity file /home/ealfonso/.ssh/id_ecdsa type -1
debug1: identity file /home/ealfonso/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/ealfonso/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/ealfonso/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/ealfonso/.ssh/id_ed25519 type -1
debug1: identity file /home/ealfonso/.ssh/id_ed25519-cert type -1
debug1: identity file /home/ealfonso/.ssh/id_ed25519_sk type -1
debug1: identity file /home/ealfonso/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/ealfonso/.ssh/id_xmss type -1
debug1: identity file /home/ealfonso/.ssh/id_xmss-cert type -1
debug1: identity file /home/ealfonso/.ssh/id_dsa type -1
debug1: identity file /home/ealfonso/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1 Debian-2+deb12u1
debug1: compat_banner: match: OpenSSH_9.2p1 Debian-2+deb12u1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to asus.local:22 as 'ealfonso'
debug3: record_hostkey: found key type ED25519 in file /home/ealfonso/.ssh/known_hosts:35
debug3: load_hostkeys_file: loaded 1 keys from asus.local
debug1: load_hostkeys: fopen /home/ealfonso/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type [email protected], using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:EnNPvhMEIvaIoIE4dAyVIBpKYLYRMae0Z+FNkQmzXjs
debug3: record_hostkey: found key type ED25519 in file /home/ealfonso/.ssh/known_hosts:35
debug3: load_hostkeys_file: loaded 1 keys from asus.local
debug1: load_hostkeys: fopen /home/ealfonso/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh_known_hosts2: No such file or directory
debug1: Host 'asus.local' is known and matches the ED25519 host key.
debug1: Found key in /home/ealfonso/.ssh/known_hosts:35
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug3: ssh_get_authentication_socket_path: path '/tmp/trezor-ssh-agent-zg2m5j7x'
debug2: get_agent_identities: ssh_agent_bind_hostkey: invalid format
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: <ssh://[email protected]|nist256p1> ECDSA SHA256:fgl+PN+L9wd5IYZAqGk3xMC4fgI3pIhwTRkUdandyWw agent
debug1: Will attempt key: /home/ealfonso/.ssh/id_rsa RSA SHA256:/rlz6FKkzEumAiQ0saXGOI6zO9owbyr3QxiSX22GyNM
debug1: Will attempt key: /home/ealfonso/.ssh/id_ecdsa 
debug1: Will attempt key: /home/ealfonso/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/ealfonso/.ssh/id_ed25519 
debug1: Will attempt key: /home/ealfonso/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/ealfonso/.ssh/id_xmss 
debug1: Will attempt key: /home/ealfonso/.ssh/id_dsa 
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug1: kex_ext_info_check_ver: [email protected]=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: <ssh://[email protected]|nist256p1> ECDSA SHA256:fgl+PN+L9wd5IYZAqGk3xMC4fgI3pIhwTRkUdandyWw agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: <ssh://[email protected]|nist256p1> ECDSA SHA256:fgl+PN+L9wd5IYZAqGk3xMC4fgI3pIhwTRkUdandyWw agent
debug3: sign_and_send_pubkey: using [email protected] with ECDSA SHA256:fgl+PN+L9wd5IYZAqGk3xMC4fgI3pIhwTRkUdandyWw
debug3: sign_and_send_pubkey: signing using ecdsa-sha2-nistp256 SHA256:fgl+PN+L9wd5IYZAqGk3xMC4fgI3pIhwTRkUdandyWw
sign_and_send_pubkey: signing failed for ECDSA "<ssh://[email protected]|nist256p1>" from agent: communication with agent failed
debug1: Offering public key: /home/ealfonso/.ssh/id_rsa RSA SHA256:/rlz6FKkzEumAiQ0saXGOI6zO9owbyr3QxiSX22GyNM
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/ealfonso/.ssh/id_ecdsa
debug3: no such identity: /home/ealfonso/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/ealfonso/.ssh/id_ecdsa_sk
debug3: no such identity: /home/ealfonso/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/ealfonso/.ssh/id_ed25519
debug3: no such identity: /home/ealfonso/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/ealfonso/.ssh/id_ed25519_sk
debug3: no such identity: /home/ealfonso/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/ealfonso/.ssh/id_xmss
debug3: no such identity: /home/ealfonso/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /home/ealfonso/.ssh/id_dsa
debug3: no such identity: /home/ealfonso/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).

Version:

ledger-agent --version
ledger-agent=0.9.0 libagent=0.14.7

Interestingly, the agent does succeed in retrieving the public key, but fails at signing.

On the ledger, the SSH/GPG agent version is 0.0.7.

[romanz]

@cbouvet-ledger Could you please take a look?

[romanz]

@erjoalgo Could you please try SSH/GPG agent 0.0.8 (#415)?

[romanz]

Pinging some of the https://github.com/LedgerHQ/app-ssh-agent maintainers: @yhql @sgliner-ledger

[erjoalgo]

Sorry, haven't had a chance to try upgrading, I will try it next week. Ernesto

…

On Sat, Nov 4, 2023, 4:23 PM Roman Zeyde ***@***.***> wrote: Pinging some of the https://github.com/LedgerHQ/app-ssh-agent maintainers: @yhql <https://github.com/yhql> @sgliner-ledger <https://github.com/sgliner-ledger> — Reply to this email directly, view it on GitHub <#462 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABIZ7KEO72PXG5WMFAXSMGDYC2P2JAVCNFSM6AAAAAA6ONDJDSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOJTGU2DKOJWGE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[erjoalgo]

After upgrading to the latest ledger live, I only see version 0.0.7:

I'm reluctant to upgrade firmware now because it probably means I have to re-add all my passwords.

Can backward compatibility be maintained/fixed from the ledger-agent side?

[romanz]

Re-pinging Ledger maintainers: @cbouvet-ledger @yhql @sgliner-ledger @Saltari @TamtamHero