SSH RSA Keys not usable

SSH, OpenPGP, GPG
1

Hi all,

I am trying to setup my RSA SSH key with my OnlyKey but can’t get it to work.

Adding OpenGPG keys seem to work as expected (although it is a while back that I used that). Using a derived key also works.

Adding the RSA key using the GUI works, though when I run onlykey-agent to obtain the fingerprint I notice it is different from the one I already use with SSH. is that expected?

I need to use RSA with SSH as it is the only thing some the devices I need to connect to support unfortunately.

When I try to connect I see that onlykey-agent complaints about the key-size:

% onlykey-agent -e rsa2048  -sk RSA3 me@my.net -s
% ssh myhost
Enter the 3 digit challenge code on OnlyKey to authorize <ssh://me@my.net|rsa2048>
6 1 5
2022-10-26 00:52:27,017 ERROR        signature with "<ssh://me@my.net|rsa2048>" key failed                                    [protocol.py:152]
Traceback (most recent call last):
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/device/onlykey.py", line 344, in sign
    sig_part = self.ok.read_bytes(timeout_ms=100)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/onlykey/client.py", line 416, in read_bytes
    raise RuntimeError('Error with RSA data to sign invalid size')
RuntimeError: Error with RSA data to sign invalid size

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/protocol.py", line 148, in sign_message
    signature = self.conn.sign(blob=blob, identity=key['identity'])
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/__init__.py", line 246, in sign
    return conn.sign_ssh_challenge(blob=blob, identity=identity)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/client.py", line 54, in sign_ssh_challenge
    return self.device.sign(blob=blob, identity=identity)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/device/onlykey.py", line 354, in sign
    raise interface.DeviceError(e)
libagent.device.interface.DeviceError: Error with RSA data to sign invalid size
sign_and_send_pubkey: signing failed for RSA "<ssh://me@my.net|rsa2048>" from agent: communication with agent failed
2022-10-26 00:52:27,019 WARNING      error: Error with RSA data to sign invalid size                                                      [server.py:100]
Traceback (most recent call last):
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/device/onlykey.py", line 344, in sign
    sig_part = self.ok.read_bytes(timeout_ms=100)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/onlykey/client.py", line 416, in read_bytes
    raise RuntimeError('Error with RSA data to sign invalid size')
RuntimeError: Error with RSA data to sign invalid size

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/server.py", line 95, in handle_connection
    reply = handler.handle(msg=msg)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/protocol.py", line 106, in handle
    reply = method(buf=buf)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/protocol.py", line 148, in sign_message
    signature = self.conn.sign(blob=blob, identity=key['identity'])
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/__init__.py", line 246, in sign
    return conn.sign_ssh_challenge(blob=blob, identity=identity)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/client.py", line 54, in sign_ssh_challenge
    return self.device.sign(blob=blob, identity=identity)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/device/onlykey.py", line 354, in sign
    raise interface.DeviceError(e)
libagent.device.interface.DeviceError: Error with RSA data to sign invalid size
2022-10-26 00:52:27,036 WARNING      Unsupported command: SSH2_AGENTC_ADD_IDENTITY (17)                                                   [protocol.py:101]

I know it is a 2048 bit key (as that is what OpenSSH and OpenSSL both tell me) .

I am using OnlyKey App v5.3.6 and an OnlyKey DUO with firmwar v3.0.2-prodn with the latest version of onlykey-agent installed on MacOS with brew install onlykey-agent. Does anyone have any idea what I am missing here? Is this supposed to work?

regards,

Frederik

2

Following up on my own post as I resolved the issue of the different key hash / fingerprint by creating a new key with OpenSSH (this one was really old and using algorithm DES-EDE3-CBC. I can understand this is not supported but there was no message about this anywhere.

However, also with the fresh key onlykey-agent is now complaining about error: 'OnlyKey' object has no attribute 'sighash' when I try to login:

% onlykey-agent -sk RSA3 -e rsa2048 me@my.net -s
% ssh me@host.my.net

NOTICE / WARNING:

THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only. Users have no
explicit or implicit expectation of privacy. Any or all uses of this system and
any data stored on this system may be intercepted, monitored, recorded, copied,
audited, inspected, and disclosed at the discretion of authorized personnel.

By using this system, the user consent to such monitoring and acknowledges that
if such monitoring reveals evidence of possible abuse or criminal activity, the
any information may be disclosed with appropriate officials.

By continuing to use this system, you indicate your awareness of and consent to
these terms and conditions of use. STOP AND DISCONNECT IMMEDIATELY!!! if you do
not agree to these conditions.
2022-10-28 22:49:39,459 ERROR        signature with "<ssh://me@my.net|rsa2048>" key failed                                                [protocol.py:152]
Traceback (most recent call last):
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/protocol.py", line 148, in sign_message
    signature = self.conn.sign(blob=blob, identity=key['identity'])
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/__init__.py", line 246, in sign
    return conn.sign_ssh_challenge(blob=blob, identity=identity)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/client.py", line 54, in sign_ssh_challenge
    return self.device.sign(blob=blob, identity=identity)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/device/onlykey.py", line 254, in sign
    if self.sighash == b'rsa-sha2-512':
AttributeError: 'OnlyKey' object has no attribute 'sighash'
sign_and_send_pubkey: signing failed for RSA "<ssh://me@my.net|rsa2048>" from agent: communication with agent failed
2022-10-28 22:49:39,465 WARNING      error: 'OnlyKey' object has no attribute 'sighash'                                                   [server.py:100]
Traceback (most recent call last):
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/server.py", line 95, in handle_connection
    reply = handler.handle(msg=msg)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/protocol.py", line 106, in handle
    reply = method(buf=buf)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/protocol.py", line 148, in sign_message
    signature = self.conn.sign(blob=blob, identity=key['identity'])
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/__init__.py", line 246, in sign
    return conn.sign_ssh_challenge(blob=blob, identity=identity)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/client.py", line 54, in sign_ssh_challenge
    return self.device.sign(blob=blob, identity=identity)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/device/onlykey.py", line 254, in sign
    if self.sighash == b'rsa-sha2-512':
AttributeError: 'OnlyKey' object has no attribute 'sighash'
(me@host.my.net) Password:

any ideas how to resolve this?

3

Can you follow the instructions here to create a key - Import keys from Keybase, Protonmail, and GPG | Docs

You would select option (1) default RSA settings

$ gpg --expert --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)

OnlyKey only supports OpenPGP which includes the latest algorithms, GnuPG supports lots of other options such as legacy algorithms (3DES, SHA1) that are not supported.

4

Hi t11,

I have no issues using an OpenGPG key, I am trying to use a stored SSH key, that does not work.

I can use derived ed25519 SSH keys without problems as well, the issue is that I need RSA keys, which do not work.

I have generated a new SSH key with ssh-keygen, are there any additional options I need to provide to ensure it will generate a key that my OnlyKey DUO can use? Which algorithms are the latest that it can use and are supported? (sorry for asking but I have not found where this is specified in the documentation yet).

Thanks!

5

Here are the steps to use an RSA SSH stored key:

ssh-keygen -t rsa -b 2048

After you have the private key copy and paste into the OnlyKey app like this:

image

Save to OnlyKey, make sure your device is in config mode and in my case there was no passphrase set

Generate your public key:

onlykey-agent user@host -e rsa -sk RSA2

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDw+2ZUJI7mza8nT7vhNNf/8KgNkrYebOSN+NjrEZSIbEEGx3zNV2GEQSEyYDknGI7PxSZlrEsqqSNiBM7ItFi8X0UayLKDbzK6YuuhlLn/SapKavaGL09/gYlMWIf1j/NHx/ilADAjI3ankqxwkvZl8bDtOSpfxmIzHQhuaQ34+oc3baSnIp3WHAC+zeePg2tXi0Oqr6JRBWtjWbTvyqmQ11gZxdeyx9+n4mlDAB6y77PXM7njslHQg/cf7rf2/1Ynd90nK6kXUhr5wO44M7hfCX8BI/qsLaiOHu9V5FdP4oMf3Vm07sm9BgahijkJkC/h6hBumHSewC59rbwWFMzZ ssh://osboxes@172.16.149.189|rsa

Put this in your authorized_keys file, then you can SSH like this:

onlykey-agent user@host  -e rsa -sk RSA2 -c
6

Hi @t11 ,

Thanks! I got my already installed key working with the command you provided:

onlykey-agent me@host -e rsa -sk RSA3 -c

(just changed the slot to RSA3 as I have my OpenGPG keys in RSA slot 1 and 2 already).

So the problem was the incorrect value for -e CURVE, with rsa it works and with rsa2048 it doesn’t. This means that the documentation / help for onleykey-agent is not correct as it states:

  -e CURVE, --ecdsa-curve-name CURVE
                        specify ECDSA/EDDSA curve name: ed25519, nist256p1,
                        rsa2048, rsa4096

Although this now works against Linux machines, when connecting to a Cisco router, I still get

% onlykey-agent me@router -e rsa -sk RSA3 -c
2022-11-13 14:03:05,175 ERROR        signature with "<ssh://me@router|rsa>" key failed                                                     [protocol.py:152]
Traceback (most recent call last):
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/protocol.py", line 148, in sign_message
    signature = self.conn.sign(blob=blob, identity=key['identity'])
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/__init__.py", line 246, in sign
    return conn.sign_ssh_challenge(blob=blob, identity=identity)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/client.py", line 54, in sign_ssh_challenge
    return self.device.sign(blob=blob, identity=identity)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/device/onlykey.py", line 254, in sign
    if self.sighash == b'rsa-sha2-512':
AttributeError: 'OnlyKey' object has no attribute 'sighash'
sign_and_send_pubkey: signing failed for RSA "/var/folders/d8/sy6bvw455xb391zdrz7nh7rm0000gn/T/trezor-ssh-pubkey-096mgz5m" from agent: communication with agent failed
2022-11-13 14:03:05,177 WARNING      error: 'OnlyKey' object has no attribute 'sighash'                                                   [server.py:100]
Traceback (most recent call last):
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/server.py", line 95, in handle_connection
    reply = handler.handle(msg=msg)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/protocol.py", line 106, in handle
    reply = method(buf=buf)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/protocol.py", line 148, in sign_message
    signature = self.conn.sign(blob=blob, identity=key['identity'])
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/__init__.py", line 246, in sign
    return conn.sign_ssh_challenge(blob=blob, identity=identity)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/ssh/client.py", line 54, in sign_ssh_challenge
    return self.device.sign(blob=blob, identity=identity)
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.10/site-packages/libagent/device/onlykey.py", line 254, in sign
    if self.sighash == b'rsa-sha2-512':
AttributeError: 'OnlyKey' object has no attribute 'sighash'

I did some debugging and noticed that the sighash attribute is not set as the router still uses the ssh-rsa algorithm (SHA1). This was deprecated in OpenSSH but can still be enabled. How can I get this working in onlykey-agent as well?

7

Is it possible your Cisco device is using SHA-1, I remember seeing a Mikrotik device that only supported SHA-1 which isn’t supported by OnlyKey as it has been deprecated for security reasons.

8

Some Cisco devices indeed still use SHA-1. As it is not possible to change the software in these devices, using SSH with SHA-1 is the only option. In my environment these are on a management network and not publicly accessible, I would think that even using SSH with SHA-1 is still less bad than using being forced to use telnet (which has no encryption).

I understand it is deprecated but also OpenSSH still offers the option to use it. What is required to get it working with OnlyKey?

9

OnlyKey SSH agent does not support SHA-1 unfortunately it would not be possible. Most devices support SHA-256 as SHA-1 isn’t recommended to be used. Yes, using SSH with SHA-1 would be better than no encryption.