I have an SSH service that doesn’t support ed25519 keys so I need to use RSA keys for this. Looking at the docs I can only see examples of SSH derived keys for nist256p1 and the default ed25519 so I assume key derivation isn’t supported with RSA keys? Just stored keys?
– BVS
So, using RSA stored SSH key works fine for Linux machines but I’m connecting to a router (Linux based). I upload the id_rsa.pub and then when connecting get these errors:
sign_and_send_pubkey: signing failed for RSA "/tmp/trezor-ssh-pubkey-erkc7ey4" from agent: communication with agent failed myuser@172.18.100.1's password: 2021-05-17 16:09:26,537 WARNING error: 'OnlyKey' object has no attribute 'sighash' [server.py:100] and;
AttributeError: 'OnlyKey' object has no attribute 'sighash'.
Loading the pub key to the router and using the normal Linux SSH client works fine.
Any ideas @t11 ? Also why does autoload add the priv key as slot 2 out of interest?
– BVS
@t11 does this work with the latest firmware and agent? Are derived RSA SSH keys supported?
– bvs
I can confirm this is the same even with the latest firmware.
Steps to reproduce:
onlykey-agent user@testserver -e rsa -sk 1
onlykey-agent user@testserver -e rsa -c -sk 1
AttributeError: 'OnlyKey' object has no attribute 'sighash'
– bvs
In order to reproduce this it sounds like I would need to find a device that replicates the issue. Do you see the issue on an older version of linux or something that I could set up in a virtual machine to reproduce this?
Also why does autoload add the priv key as slot 2 out of interest?
There are 4 RSA slots, slot 1 is the default decryption key slot, slot 2 is default signing, 3-4 are user defined.
@t11 thanks for your reply.
This router is a Mikrotik device. They offer a Cloud Hosted Router that can run on any hypervisor so you may be able to use that from here MikroTik Routers and Wireless - Software. You should be able to attach the machine image and boot to test.
– bvs
I actually have a Mikrotik router, very nice devices. I will try to reproduce with that.
Currently I just completed RSA support for the GPG agent that will be released shortly then I will test this issue.
Hey @t11 what’s the release schedule for this looking like?
– bvs
@bettyvschmartz Apologies, with the current new hardware and new features I have not been able to reproduce this issue. A quick search found that this issue may be that Mikrotik only supports SHA1 which has been depricated. A new version of Mikrotik mentioned in this thread supports SHA256 which should work with OnlyKey Agent - OpenSSH future RSA host key deprecation - MikroTik
It looks like this still isn’t supported so waiting for a fix. Not an OnlyKey issue as tested with standard ssh forcing PubkeyAcceptedKeyTypes to rsa-sha2-256 and it doesn’t work.
EDIT: also a further couple of questions from above I need clarity on @t11; am I correct in thinking that derived keys aren’t supported with RSA? So doing something like;
onlykey-agent -e rsa -sk RSA2 user@host
Will give the same pub key as;
onlykey-agent -e rsa -sk RSA2 user2@host2
And, if you wipe all four RSA slots there will still be default keys in slots 1 and 2. Slot 1 for GPG (decryption key) and slot 2 for GPG/SSH (signing key). Is that right?
– bvs
I correct in thinking that derived keys aren’t supported with RSA?
Correct, derived keys are ECC type only
And, if you wipe all four RSA slots there will still be default keys in slots 1 and 2. Slot 1 for GPG (decryption key) and slot 2 for GPG/SSH (signing key). Is that right?
There will still be the default derivation key (which is ECC). There will not be any keys in slot 1 or 2 though, default derivation key is not meant to be wiped as wiping it would mean all keys derived from it would be essentially wiped too.
For ECC, i understand that’s the case. In fact, I use stored keys and also derived keys for ECC.
What I’m referring to is specifically for RSA. If I load stored keys in slots 1 and 2 I can generate the expected pub keys. But if I wipe slots 1 and 2, there are still stored keys there.
If I run;
I still get a pub key returned that I’m not familiar with. It sounds like you are saying that shouldn’t happen.
– bvs