In the last weeks, I tried to setup ed25519 gnupg keys for use with SSH on my new Yubikey 5C NFC. It works like a charm but when used with an ED25519 SSH certificate, the authentication failed with an error like :
In the last weeks, I tried to setup ed25519 gnupg keys for use with SSH on my new Yubikey 5C NFC. It works like a charm but when used with an SSH certificate, the authentication failed with an error like :
sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
Let's try it. For this demo, I'll let the Yubikey generate GnuPG's keys. This is easier to setup but not recommended in production as the master key can't be reused to generate other keys.
(see here [https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP))
At this point, you have to copy the CA's public key into your server's authorized_keys file . This can't be done with ssh-copy-id as the CA's key is not loaded into you ssh-agent nor available in the ~/.ssh directory.
You should have something like :
<pre>
server:~# <b>cat .ssh/authorized_keys</b>
cert-authority ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
</pre>
Note the line beginning with cert-authority which is not common. For reference, read "AUTHORIZED_KEYS FILE FORMAT" chapter here : [http://man.he.net/man5/authorized_keys](http://man.he.net/man5/authorized_keys)
