agent forwarding currently not possible

[dhx]

Forwarding the agent to a remote server would be a very interesting feature, maybe it is possible, but trying it with the following command did not work for me:

onlykey-agent user@server -- ssh -A user@server

[onlykey]

@dhx Have you tried something similar to this? https://groups.google.com/d/msg/onlykey/6qvMfSD7bTE/hUPTgZ2ZCgAJ

[dhx]

Hey @onlykey thanks for the hint, actually I use the commands mentioned in the google group, the problem arises for me as soon as I try to use the forwarded agent on the host to connect to another system. In my specific case I have a git repo on the server I connect to via ssh like:

onlykey-agent user123@myorg.org -- ssh -A user123@gitserver.myorg.org
gitserver:~$ cd gitrepo
gitserver:~/gitrepo$ git pull origin master

this last git command would need the ssh agent (that should be forwarded with the -A switch), but instead of asking the user to press the three number keys on the onlykey the call seems to hang idefinitely (no output in the shell, but the onlykey also does not indicate that something has to be entered - normally the color of the led changes when the user is requested to enter the three numbers)

[dhx]

See also the "Agent forwarding" section documented for the java trezor agent implementation: https://github.com/martin-lizner/trezor-ssh-agent

[onlykey]

@dhx This should work now with the latest version, are you able to try it? https://docs.crp.to/upgradeguide.html

[dhx]

@onlykey Thanks for the update, it seems to be possible now to forward the agent, many times though I see the following error when trying to use it the first time (the second time it often works):

Enter the 3 digit challenge code on OnlyKey to authorize <ssh://<...>@<...>|nist256p1>
6 3 5
2020-11-03 08:58:22,359 ERROR        signature status: ERROR                                                                              [protocol.py:153]
Traceback (most recent call last):
  File "/home/<...>/.local/lib/python3.6/site-packages/libagent/ssh/protocol.py", line 150, in sign_message
    sig_bytes = key['verifier'](sig=signature, msg=blob)
  File "/home/<...>/.local/lib/python3.6/site-packages/libagent/formats.py", line 78, in ecdsa_verifier
    vk.verify(signature=sig, data=msg, sigdecode=sig_decode)
  File "/home/<...>/.local/lib/python3.6/site-packages/ecdsa/keys.py", line 654, in verify
    return self.verify_digest(signature, digest, sigdecode, allow_truncate)
  File "/home/<...>/.local/lib/python3.6/site-packages/ecdsa/keys.py", line 712, in verify_digest
    raise BadSignatureError("Signature verification failed")
ecdsa.keys.BadSignatureError: Signature verification failed
sign_and_send_pubkey: signing failed: communication with agent failed
2020-11-03 08:58:22,371 WARNING      error: invalid signature                                                                             [server.py:100]
Traceback (most recent call last):
  File "/home/<...>/.local/lib/python3.6/site-packages/libagent/ssh/protocol.py", line 150, in sign_message
    sig_bytes = key['verifier'](sig=signature, msg=blob)
  File "/home/<...>/.local/lib/python3.6/site-packages/libagent/formats.py", line 78, in ecdsa_verifier
    vk.verify(signature=sig, data=msg, sigdecode=sig_decode)
  File "/home/<...>/.local/lib/python3.6/site-packages/ecdsa/keys.py", line 654, in verify
    return self.verify_digest(signature, digest, sigdecode, allow_truncate)
  File "/home/<...>/.local/lib/python3.6/site-packages/ecdsa/keys.py", line 712, in verify_digest
    raise BadSignatureError("Signature verification failed")
ecdsa.keys.BadSignatureError: Signature verification failed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/<...>/.local/lib/python3.6/site-packages/libagent/server.py", line 95, in handle_connection
    reply = handler.handle(msg=msg)
  File "/home/<...>/.local/lib/python3.6/site-packages/libagent/ssh/protocol.py", line 103, in handle
    reply = method(buf=buf)
  File "/home/<...>/.local/lib/python3.6/site-packages/libagent/ssh/protocol.py", line 154, in sign_message
    raise ValueError('invalid signature')
ValueError: invalid signature

Btw: After doing the ssh login via the Onlykey for some time it seems to stay in another mode (yellow instead of green) which does not allow the usage of the key for password entry. Is it possible to change this behaviour?

[onlykey]

@dhx Can you give me a scenario to try so I can attempt to reproduce this? OnlyKey now turns yellow while busy/waiting so it should only be yellow for a couple of seconds unless something went wrong.

[mr-sour]

I was trying this out and it seems to work. I started with this. onlykey-agent -sk 101 mr_sour@jumpbox.public -- ssh -A mr_sour@jumpbox.public I then was able to check the agent was forwarded

mr_sour@jumpbox.public:~$ echo $SSH_AUTH_SOCK
/tmp/ssh-mzBtpQ6QBt/agent.13827
ssh mr_sour@someotherbox
Enter the 3 digit challenge code on OnlyKey to authorize

I did run into sign_and_send_pubkey: signing failed: communication with agent failed which would cause python to crash. restarting seemed to fix that though.

[dhx]

@onlykey could not reproduce the issue with the BadSignatureError anymore, if I'm able to reproduce it I'll make an update. Regarding the Key staying in busy/waiting (yellow) mode, this is always happening after entering the challenge code for 30sec. Is there a way to diagnose / trace the communication with the onlykey to find out what the onlykey is waiting for?

[onlykey]

@dhx the yellow waiting is like a cool off period between actions, however this seems to not work for agent forwarding per your issue. The next firmware/agent release will have a fix to address this issue.