`sign_and_send_pubkey: signing failed for ED25519 "cardno:" from agent: agent refused operation`

Nitrokeys Pro/Start/Storage (OpenPGP Card)
1

I’ve setup my Nitrokey Start with an ED25519 key and am using it for mostly server administration with SSH.

I currently manage 4 servers and can only access 2 of these with this public key and on the other servers (after setting up the authorized_keys file properly) I am unable to use it.

On the client I receive the error message:

sign_and_send_pubkey: signing failed for ED25519 "cardno:[redacted]" from agent: agent refused operation

While on the server sshd logs the following:

Unable to negotiate with [redacted] port [redacted]: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]

And when I turn on DEBUG level sshd logs, I get the following two messages (in this order):

Accepted key ED25519 SHA256:[redacted] found at /root/.ssh/authorized_keys:1
[..]
Postponed publickey for root from [redacted] port [redacted] ssh2 [preauth]

I do have root login permited, for the moment, and am able to login using the password after publickey authentication fails.

I don’t want to keep password authentication enabled much longer, both for security and convenience.

I suspect that this must be an issue with my server configuration, which uses NixOS and is newly setup and is configured thusly:

  services.openssh = {
     enable = true;
     settings.PasswordAuthentication = true;
     settings.PubkeyAuthentication = true;
     settings.GSSAPIAuthentication = false;
     settings.ChallengeResponseAuthentication = false;
     settings.KbdInteractiveAuthentication = false;
     settings.PermitRootLogin = "yes";
     settings.LogLevel = "DEBUG";     
  };

I have also checked the permissions on the /root/.ssh, but these are set correctly.

I’m at a loss about potential alternative solutions. This same key works on other servers, which run debian and ubuntu, but I’m also having this issue with another ubuntu server.

As a final info I have checked the GPG and SSH versions on my client and the nixos (failing) and debian (working) servers:
Client

OpenSSH_9.6p1, OpenSSL 3.2.1 30 Jan 2024
gpg (GnuPG) 2.4.4

nixos(failing)

OpenSSH_9.6p1, OpenSSL 3.0.13 30 Jan 2024
gpg (GnuPG) 2.4.4

debian(working)

OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n  15 Mar 2022
gpg (GnuPG) 2.2.27
2

This can be fixed with something like ssh -oHostKeyAlgorithms=+ssh-rsa ...

You might need to update those machines to support ed25519 host keys (check your OpenSSH version and use the host key generation commands to add the key).

3

Which key algorithm should I set as HostKeyAlgorithms? If I try using ssh-rsa as an additional host key algorithm or just as an additional one, it does not solve the problem.

4

Please check which host keys have been generated on the machine running sshd.

5

An RSA and an ED25519 Key have been generated on the server.

6

I don’t quite know what happened but now it’s working and here is what I did:

  1. I removed my generated RSA and ED25519 keys
  2. Regenerated them both using ssh-key-gen.
  3. Explicitly set my key exchange, cipher, mac and host key algorithms according to ssh-audit.com hardening guidelines for Debian (although I’m using NixOS).
  4. Rebuild my configuration and now I’m able to connect with my Nitrokey Start.

Thanks for your time and patience @saper

1 Like