Bug 697464 – Gnome-keyring doesn't support OpenSSH certificates

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 697464 - Gnome-keyring doesn't support OpenSSH certificates


Summary:	Gnome-keyring doesn't support OpenSSH certificates


Status:	RESOLVED FIXED

Product:	gnome-keyring
Classification:	Core
Component:	ssh-agent
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GNOME keyring maintainer(s)
QA Contact:	GNOME keyring maintainer(s)

URL:
Whiteboard:

Depends on:	775981
Blocks:

Reported:	2013-04-06 23:16 UTC by Matt Mackall
Modified:	2018-03-09 15:43 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Matt Mackall 2013-04-06 23:16:43 UTC

OpenSSH 5.4 added support for _certificates_, an extremely useful feature not to be confused with keys, back in March 2010. You can read about them here, among other places:

 http://blog.habets.pp.se/2011/07/OpenSSH-certificates

Unfortunately, a) gnome-keyring masquerades as ssh-agent and b) has never heard of ssh certificates. Which leads to this perplexing behavior:

 $ ssh-add id_rsa
 Enter passphrase for id_rsa: 
 Identity added: id_rsa (id_rsa)
 Error reading response length from authentication socket.
 Certificate id_rsa-cert.pub (mpm) add failed
 Certificate added: id_rsa-cert.pub (mpm)

Note the last two lines contradict each other. And the certificate doesn't get added:

 $ ssh-add -l
 4096 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx id_rsa (RSA)

..and the following in auth.log:

 Apr  6 17:07:40 calx gnome-keyring-daemon[3522]: unsupported algorithm from SSH: ssh-rsa-cert-v01@openssh.com

Replacing SSH_AUTH_SOCK with the real ssh-agent socket gives the correct, functional behavior:

 $ ssh-add id_rsa
 Enter passphrase for id_rsa: 
 Identity added: id_rsa (id_rsa)
 Certificate added: id_rsa-cert.pub (mpm)
 $ ssh-add -l
 4096 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx id_rsa (RSA)
 4096 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx id_rsa (RSA-CERT)

Comment 1 Stef Walter 2016-12-12 12:58:23 UTC

 gnome-keyring should just wrap stock ssh-agent to solve this problem:

https://bugzilla.gnome.org/show_bug.cgi?id=775981

Comment 2 Kevin Lyda 2017-01-10 13:23:34 UTC

This is a problem for me as well. And wrapping the existing ssh-agent would seem like a far better solution.

In the meantime my workaround is to turn ssh support off, but this isn't ideal.

https://wiki.gnome.org/Projects/GnomeKeyring/Ssh

Comment 3 Kevin Lyda 2017-01-10 13:30:29 UTC

To be specific, this is a problem for cashier ( https://github.com/nsheridan/cashier ). This makes ssh key management more secure and manageable - which is not something a keyring project should get in the way of.

The changes for wrapping ssh-agent seem like a great solution to this problem (and a few others for other key types) so home those branches get merged. Thanks!