Pageant failed to answer challenge

[NTICompass]

I have a KeepKey and when I use "Show Public Key", it works - asking for my PIN and showing a public key. But when I open PuTTY and try to connect, it also asks for my PIN, I see the "loading" bar on the device then an error: "Pageant failed to answer challenge".

In the log, I see:

[09.05.2018 00:02:32] INFO: Java version: 1.8.0_121-b13 (64-bit)
[09.05.2018 00:02:32] INFO: Java home: C:\Program Files\Java\jre8
[09.05.2018 00:02:32] INFO: Trezor SSH Agent 1.0.3 started successfully
[09.05.2018 00:02:32] INFO: Existing settings file loaded: C:\Users\NTICompass\Trezor_Agent.properties
[09.05.2018 00:02:33] INFO: KeepKey Service Started
[09.05.2018 00:02:34] INFO: Received USB event: SHOW_DEVICE_READY
[09.05.2018 00:02:38] INFO: Request for operation: SSH2_AGENT_GET_IDENTITIES
[09.05.2018 00:02:38] INFO: Received USB event: SHOW_PIN_ENTRY
[09.05.2018 00:02:53] INFO: Received USB event: PUBLIC_KEY_FOR_IDENTITY
[09.05.2018 00:02:53] INFO: Operation SSH2_AGENT_GET_IDENTITIES executed successfully
[09.05.2018 00:02:54] INFO: Request for operation: SSH2_AGENT_SIGN_REQUEST
[09.05.2018 00:02:54] INFO: Received USB event: SHOW_OPERATION_FAILED
[09.05.2018 00:02:54] INFO: Received USB event: SHOW_DEVICE_READY
[09.05.2018 00:02:54] INFO: Received USB event: SHOW_OPERATION_FAILED
[09.05.2018 00:02:54] SEVERE: Sign operation failed
com.trezoragent.exception.SignFailedException: Sign operation failed on HW.
    at com.trezoragent.sshagent.DeviceWrapper.signChallenge(DeviceWrapper.java:123)
    at com.trezoragent.sshagent.SSHAgent.processSignRequest(SSHAgent.java:253)
    at com.trezoragent.sshagent.SSHAgent.answerMessage(SSHAgent.java:170)
    at com.trezoragent.sshagent.SSHAgent.answerIfDevicePresent(SSHAgent.java:224)
    at com.trezoragent.sshagent.SSHAgent.processMessage(SSHAgent.java:149)
    at com.trezoragent.sshagent.SSHAgent.callback(SSHAgent.java:111)
    at sun.reflect.GeneratedMethodAccessor1.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.sun.jna.CallbackReference$DefaultCallbackProxy.invokeCallback(CallbackReference.java:485)
    at com.sun.jna.CallbackReference$DefaultCallbackProxy.callback(CallbackReference.java:515)
    at com.sun.jna.Native.invokeInt(Native Method)
    at com.sun.jna.Function.invoke(Function.java:390)
    at com.sun.jna.Function.invoke(Function.java:323)
    at com.sun.jna.Library$Handler.invoke(Library.java:236)
    at com.sun.proxy.$Proxy0.GetMessage(Unknown Source)
    at com.trezoragent.sshagent.SSHAgent.startMainLoop(SSHAgent.java:96)
    at com.trezoragent.gui.TrayProcess.start(TrayProcess.java:96)
    at com.trezoragent.gui.StartAgentGUI.main(StartAgentGUI.java:50)

[martin-lizner]

Please try:

• Using different curve (nist256p1 | ed25519)
• Authenticate to same SSH server with Putty/Pageant
• Try different SSH server
• I have tested my app on KeepKey device around 2yrs ago (hw, firmware), so maybe there is newer revision...?
• If you are java guy, try running app from IDE and place breakpoint on DeviceWrapper:109 to see what is actually coming to identity variable. Is challenge data (challengeHidden variable) ok? Your device answers with "sign operation failed".

[NTICompass]

Thanks for the suggestions. I can try these things and see what happens. I was also trying to get SSH via KeepKey to work in Linux using trezor-agent (well, keepkey-agent) and I was also getting an error (but it may've been a different error).

I can SSH to the server with PuTTY, I did so to enter in the public key, and the SSH server should suppot these types of keys, but I haven't checked.

I will troubleshoot/debug a bit and see if I can uncover some more details.

P.S. I just bought this KeepKey and when I initialized it, it updated to firmare 5.1

[NTICompass]

This was an issue with the KeepKey firmware, which is fixed in the latest beta.

See: https://github.com/romanz/trezor-agent/issues/242#issuecomment-391545973

[martin-lizner]

glad thats resolved