Gpg with Nitrokey Storage 2 using brainpoolP512r1: Unable to export public SSH key

Hi,

I followed the official instructions here but generated brainpool512 keys instead of RSA. Everything went fine, and I imported the key on a Debian 9 system. Now, when I wanted to export/convert the key to openssh format I get the following output from gpg 2.1.18:

gpg: export as ssh key failed: Unknown elliptic curve

I upgraded gpg to 2.2.10, but the error message remains the same.

Any ideas?

Hi,

please provide the command you used when the message arrived as well.

Kind regards
Alex

This seems to be a limitation of GnuPG. Could you ask at the GnuPG mailinglist or submit an issue ticket there?

Seems so, indeed. Actually, I wasn’t able to even generate them directly on card or locally :thinking:

Thank you for the prompt replies! The coimmand I used was:

gpg --verbose --export-ssh-key firstname.lastname@xyz.foo

Unfortunately, I don’t have the time right now to push this issue upstream, but since you could reproduce the failure I assume gnupg is not ready yet to be used with brainpool512 ECC for SSH logins, so I will have to fall back to something more mature.

A small note for future visitors:

As mentioned here SSH only support the following curves

ecdsa-sha2-nistp256
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521
ecdsa-sha2-nistp521-cert-v01@openssh.com
ssh-dss
ssh-dss-cert-v01@openssh.com
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-rsa-cert-v01@openssh.com

Thus, gnupg only allows ssh key export of these listed above as well.