SSH RSA Derived Keys

I have an SSH service that doesn’t support ed25519 keys so I need to use RSA keys for this. Looking at the docs I can only see examples of SSH derived keys for nist256p1 and the default ed25519 so I assume key derivation isn’t supported with RSA keys? Just stored keys?


So, using RSA stored SSH key works fine for Linux machines but I’m connecting to a router (Linux based). I upload the and then when connecting get these errors:

sign_and_send_pubkey: signing failed for RSA "/tmp/trezor-ssh-pubkey-erkc7ey4" from agent: communication with agent failed myuser@'s password: 2021-05-17 16:09:26,537 WARNING error: 'OnlyKey' object has no attribute 'sighash' [] and;

AttributeError: 'OnlyKey' object has no attribute 'sighash'.

Loading the pub key to the router and using the normal Linux SSH client works fine.

Any ideas @t11 ? Also why does autoload add the priv key as slot 2 out of interest?


@t11 does this work with the latest firmware and agent? Are derived RSA SSH keys supported?

– bvs

I can confirm this is the same even with the latest firmware.

Steps to reproduce:

  • Add stored RSA OpenSSH priv key to OnlyKey
  • Generate the derived pub key using onlykey-agent user@testserver -e rsa -sk 1
  • Upload the derived key to the server
  • Run onlykey-agent user@testserver -e rsa -c -sk 1
  • Get the error AttributeError: 'OnlyKey' object has no attribute 'sighash'

– bvs

In order to reproduce this it sounds like I would need to find a device that replicates the issue. Do you see the issue on an older version of linux or something that I could set up in a virtual machine to reproduce this?

Also why does autoload add the priv key as slot 2 out of interest?

There are 4 RSA slots, slot 1 is the default decryption key slot, slot 2 is default signing, 3-4 are user defined.

@t11 thanks for your reply.

This router is a Mikrotik device. They offer a Cloud Hosted Router that can run on any hypervisor so you may be able to use that from here MikroTik Routers and Wireless - Software. You should be able to attach the machine image and boot to test.

– bvs

I actually have a Mikrotik router, very nice devices. I will try to reproduce with that.

1 Like

Hey @t11, did you have time to take a look, or have any joy with the above?


– bvs

Currently I just completed RSA support for the GPG agent that will be released shortly then I will test this issue.

1 Like