When openssh certificate is loaded from Keepass, private key is not loaded

[msabatier]

Hi David,

I tested with Keepass v2.51.1 on Windows 11 64bit with this build https://github.com/dlech/KeeAgent/actions/runs/2374959331

When loading a key with certificate into keeagant using ssh-add everyting works as expected and ssh-add -l gives

256 SHA256:WcUVunq0 ... Oto8c msabatier (ED25519) 256 SHA256:WcUVunq0 ... Oto8c msabatier (ED25519-CERT)

When I use that key to connect it works

debug1: Authentications that can continue: publickey
debug1: Offering public key: msabatier ED25519-CERT SHA256:WcUVunq0 ... Oto8c agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: msabatier ED25519-CERT SHA256:WcUVunq0 ... Oto8c agent
debug3: sign_and_send_pubkey: ED25519-CERT SHA256:WcUVunq0 ... Oto8c
debug2: sign_and_send_pubkey: using private key "msabatier" from agent for certificate
debug3: sign_and_send_pubkey: signing using ssh-ed25519-cert-v01@openssh.com
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).

When adding the same key in the keepass file and configuring keeagent to load it from file only the cert is loaded. A ssh-add -l gives

256 SHA256:WcUVunq0 ... Oto8c msabatier (ED25519-CERT)

When trying to connect it fails as the private key is not available

debug1: Authentications that can continue: publickey
debug1: Offering public key: msabatier ED25519-CERT SHA256:WcUVunq0 ... Oto8c agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: msabatier ED25519-CERT SHA256:WcUVunq0 ... Oto8c agent
debug3: sign_and_send_pubkey: ED25519-CERT SHA256:WcUVunq0 ... Oto8c
debug1: sign_and_send_pubkey: no separate private key for certificate "msabatier"
debug3: sign_and_send_pubkey: signing using ssh-ed25519-cert-v01@openssh.com
agent key ED25519-CERT SHA256:WcUVunq0 ... Oto8c returned incorrect signature type
debug3: sign_and_send_pubkey: signing using ssh-ed25519-cert-v01@openssh.com
sign_and_send_pubkey: signing failed: signature algorithm not supported

[dlech]

Are you using KeeAgent in agent mode or client mode? And if client mode, which client?

I noticed that in the OpenSSH agent, it loads two copies of the private key, one with the certificate and one without. In my testing on Linux (both agent mode and client mode) I was able to connect to the docker container with only the copy with the certificate, so I left it that way.

[dlech]

Do you use the same key without a certificate to connect to some servers?

[dlech]

I was able to reproduce the problem. It turns out the bug was unrelated to having a separate copy of the private key. The problem was that KeeAgent was sending the wrong signing algorithm name to ssh (it wasn't stripping off the -cert part). This wasn't a problem for RSA keys because the algorithm name was overridden due to special SSH agent protocol flags that only apply to RSA keys. But the bug was apparent when using an ED25519 key.

[msabatier]

I am using Keeagent in agent mode.

I confirm that authentication with my cert is working with the latest build. You are right this was not related with the private key being loaded.

But to answer your question yes we sometimes also connect with the key and not the cert. Plus this is what openssh does when you use ssh-add as you noticed. That's why in my original PR I was loading both.