`sign_and_send_pubkey: signing failed for ED25519 "cardno:" from agent: agent refused operation`

I’ve setup my Nitrokey Start with an ED25519 key and am using it for mostly server administration with SSH.

I currently manage 4 servers and can only access 2 of these with this public key and on the other servers (after setting up the authorized_keys file properly) I am unable to use it.

On the client I receive the error message:

sign_and_send_pubkey: signing failed for ED25519 "cardno:[redacted]" from agent: agent refused operation

While on the server sshd logs the following:

Unable to negotiate with [redacted] port [redacted]: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]

And when I turn on DEBUG level sshd logs, I get the following two messages (in this order):

Accepted key ED25519 SHA256:[redacted] found at /root/.ssh/authorized_keys:1
Postponed publickey for root from [redacted] port [redacted] ssh2 [preauth]

I do have root login permited, for the moment, and am able to login using the password after publickey authentication fails.

I don’t want to keep password authentication enabled much longer, both for security and convenience.

I suspect that this must be an issue with my server configuration, which uses NixOS and is newly setup and is configured thusly:

  services.openssh = {
     enable = true;
     settings.PasswordAuthentication = true;
     settings.PubkeyAuthentication = true;
     settings.GSSAPIAuthentication = false;
     settings.ChallengeResponseAuthentication = false;
     settings.KbdInteractiveAuthentication = false;
     settings.PermitRootLogin = "yes";
     settings.LogLevel = "DEBUG";     

I have also checked the permissions on the /root/.ssh, but these are set correctly.

I’m at a loss about potential alternative solutions. This same key works on other servers, which run debian and ubuntu, but I’m also having this issue with another ubuntu server.

As a final info I have checked the GPG and SSH versions on my client and the nixos (failing) and debian (working) servers:

OpenSSH_9.6p1, OpenSSL 3.2.1 30 Jan 2024
gpg (GnuPG) 2.4.4


OpenSSH_9.6p1, OpenSSL 3.0.13 30 Jan 2024
gpg (GnuPG) 2.4.4


OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n  15 Mar 2022
gpg (GnuPG) 2.2.27

This can be fixed with something like ssh -oHostKeyAlgorithms=+ssh-rsa ...

You might need to update those machines to support ed25519 host keys (check your OpenSSH version and use the host key generation commands to add the key).

Which key algorithm should I set as HostKeyAlgorithms? If I try using ssh-rsa as an additional host key algorithm or just as an additional one, it does not solve the problem.

Please check which host keys have been generated on the machine running sshd.

An RSA and an ED25519 Key have been generated on the server.

I don’t quite know what happened but now it’s working and here is what I did:

  1. I removed my generated RSA and ED25519 keys
  2. Regenerated them both using ssh-key-gen.
  3. Explicitly set my key exchange, cipher, mac and host key algorithms according to ssh-audit.com hardening guidelines for Debian (although I’m using NixOS).
  4. Rebuild my configuration and now I’m able to connect with my Nitrokey Start.

Thanks for your time and patience @saper

1 Like