trezor-agent icon indicating copy to clipboard operation
trezor-agent copied to clipboard
verified publisher icon romanz

Error: signature with "<ssh://user@[REDACTED]|nist256p1>" key failed

Open antonionardella opened this issue 3 years ago • 1 comments

Hello here!

Today I upgraded a VPS to Ubuntu 22.04 and tried to connect as usual with ledger-agent 0.9.0 and got the following error.

2022-08-30 11:20:20,877 WARNING      unparsed blob: b"\x00\x00\x003\x00\x00\x00\x0bssh-ed25519\x00\x00\x00 \x9b-u\x98\x93\xfc\x83\xe9~\xfbb,\xc3\xc2\x17\x89\x19\xb4\x90\x9f\x17\x1d+\x0f\xf3s9\x00'\xb23," [client.py:81]
2022-08-30 11:20:20,923 ERROR        signature with "<ssh://user@[REDACTED]|nist256p1>" key failed                                      [protocol.py:151]
Traceback (most recent call last):
  File "/home/antonio/.local/lib/python3.10/site-packages/libagent/ssh/protocol.py", line 147, in sign_message
    signature = self.conn.sign(blob=blob, identity=key['identity'])
  File "/home/antonio/.local/lib/python3.10/site-packages/libagent/ssh/__init__.py", line 234, in sign
    return conn.sign_ssh_challenge(blob=blob, identity=identity)
  File "/home/antonio/.local/lib/python3.10/site-packages/libagent/ssh/client.py", line 52, in sign_ssh_challenge
    return self.device.sign(blob=blob, identity=identity)
  File "/home/antonio/.local/lib/python3.10/site-packages/libagent/device/ledger.py", line 87, in sign
    apdu += bytearray([len(blob) + len(path) + 1])
ValueError: byte must be in range(0, 256)
sign_and_send_pubkey: signing failed for ECDSA "/tmp/trezor-ssh-pubkey-5qb2h283" from agent: communication with agent failed
ssh://user@[REDACTED]: Permission denied (publickey).
2022-08-30 11:20:20,923 WARNING      error: byte must be in range(0, 256)                                                                 [server.py:100]
Traceback (most recent call last):
  File "/home/antonio/.local/lib/python3.10/site-packages/libagent/server.py", line 95, in handle_connection
    reply = handler.handle(msg=msg)
  File "/home/antonio/.local/lib/python3.10/site-packages/libagent/ssh/protocol.py", line 106, in handle
    reply = method(buf=buf)
  File "/home/antonio/.local/lib/python3.10/site-packages/libagent/ssh/protocol.py", line 147, in sign_message
    signature = self.conn.sign(blob=blob, identity=key['identity'])
  File "/home/antonio/.local/lib/python3.10/site-packages/libagent/ssh/__init__.py", line 234, in sign
    return conn.sign_ssh_challenge(blob=blob, identity=identity)
  File "/home/antonio/.local/lib/python3.10/site-packages/libagent/ssh/client.py", line 52, in sign_ssh_challenge
    return self.device.sign(blob=blob, identity=identity)
  File "/home/antonio/.local/lib/python3.10/site-packages/libagent/device/ledger.py", line 87, in sign
    apdu += bytearray([len(blob) + len(path) + 1])
ValueError: byte must be in range(0, 256)

I can connect without issues using a local identity file

Any idea what I shall look at?

antonionardella avatar Aug 30 '22 09:08 antonionardella

IIUC, it seems that Ledger doesn't support long challenge blobs. @Saltari @btchip could you please take a look?

romanz avatar Aug 30 '22 16:08 romanz

Finally sat down and found a workaround. Made a Github account just to report back here.

@antonionardella and whoever else needs to get around this error: Downgrade your OpenSSH client to any version older than 8.9. There's a new feature in OpenSSH 8.9 that's breaking libagent: https://www.openssh.com/agent-restrict.html

I added logging lines to protocol.py to examine the blob for a server which triggers this error and for a server which doesn't. I found the string [email protected] in the former, which is what lead me to this conclusion.

lykso avatar Oct 06 '22 03:10 lykso