Fixing gpg-agent-ssh after adding short key

Fri Jul 24 2020 3 min read

First off, I’ll give a brief overview of my SSH setup. I use gpg-agent’s SSH functionality as an SSH agent which gives me the benefit of automatically caching the key password after prompting for it once. This persists across all my terminals and programs which is great as when I’m running an ansible playbook that pulls in a lot of private role dependencies, I don’t have to constantly put my password in. I used this guide to set up SSH to use the gpg-agent.

The Problem

I’ve been testing out SSH certificate solutions recently for work, mainly Pritunl Zero and Teleport . As part of the process I generated a key with a length less than 2048. Everything seemed fine and I was able to use key to connect to the nodes so I didn’t notice the issue straight away. Then I tried pushing to a repository with a password protected key and I got a prompt in my terminal for my password which is unusual as normally I get a GTK pop up for that. I then tried to push again and it asked for my password again so I knew that my SSH agent wasn’t working properly.

I thought I could fix the issue by removing the identities from the SSH agent using ssh-add but it didn’t seem to make a difference.

$ ssh-add -L
error fetching identities: Invalid key length
$ ssh-add -D
All identities removed.
$ ssh-add -L
error fetching identities: Invalid key length

I made a post on reddit about it but I didn’t get any responses for 7 days. At this point, it was annoying me enough to have another crack at it.

The Solution

After some digging around online, I found gpg-connect-agent which let me run commands against the agent directly. I tried a load of different commands until I found I could list the SSH keys in the agent with their fingerprints. This made it easy to identify which keys shouldn’t be there any more as I could match the keygrips with the MD5 checksums of the SSH public keys in my ~/.ssh folder.

First off I removed the keys I’d generated for pritunl zero and teleport and listed the MD5 checksums of the remaining public keys in my ~/.ssh folder

for f in $(ls ~/.ssh/*.pub); do
  ssh-keygen -l -E md5 -f ~/.ssh/$f

Next I connected to the agent and listed the SSH keys

gpg-connect-agent "KEYINFO --ssh-list --ssh-fpr" /bye

Then I deleted the keys that weren’t in my SSH folder one by one. Each deletion had a pop up asking for confirmation to delete the key and included the comment associated with key so it was easy to check I wasn’t removing one of my active keys.

gpg-connect-agent "DELETE_KEY SOMELONGKEYGRIP" /bye

Success! The ssh-add -L error had gone and when I tried pulling from a repo, I got the GTK pinentry pop up. Pulling again just worked without the pinentry and I was back to normal!