Using gpg-agent with the option "enable-ssh-support" (which causes the gpg-agent to provide ssh-agent functionality) has been working fine, using an RSA ssh key. I get an error when trying to use the ssh-add command, now that I have created an ECDSA keypair. Reproducible: Always Steps to Reproduce: 0. Run gpg-agent in daemon mode with ssh support enabled. 1. Use ssh-keygen -t ecdsa to generate keypair 2. Use ssh-add to attempt to add the key to those authorized for use by the agent. 3. Fail. Actual Results: ssh-add of the ECDSA fails and gpg-agent appears to crash. ~ $ ssh-add Enter passphrase for /home/username/.ssh/id_rsa: Identity added: /home/username/.ssh/id_rsa (/home/username/.ssh/id_rsa) Enter passphrase for /home/username/.ssh/id_ecdsa: Error reading response length from authentication socket. Could not add identity: /home/username/.ssh/id_ecdsa ~ $ ssh-add Could not open a connection to your authentication agent. ~ $ ssh-add -L Could not open a connection to your authentication agent. ~ $ file ${SSH_AUTH_SOCK} /tmp/gpg-DTE8dk/S.gpg-agent.ssh: socket ~ $ pgrep gpg-agent ~ $ After this, the agent does not work and ssh connections to other hosts are authenticated as though the agent were not in operation. Expected Results: 1. The keygrip of the ECDSA key should be added to gpg-agent's list of allowed ssh keys (~/.gnupg/sshcontrol). 2. Subsequent ssh connections to other hosts, including those made using the new ECDSA key, should be authenticated by gpg-agent (i.e. the agent should not crash but function normally). After a reboot, gpg-agent continues to function normally, using an RSA key. With the ECDSA key exported to other hosts, ssh uses it for host verification, but it is impossible to use it via gpg-agent's ssh support for authentication or encryption of file transfer (e.g., scp). ~ # emerge --info Portage 2.1.9.48 (default/linux/x86/10.0, gcc-4.5.2, glibc-2.13-r2, 2.6.38-gentoo-r5 i686) ================================================================= System uname: Linux-2.6.38-gentoo-r5-i686-Intel-R-_Pentium-R-_4_CPU_1300MHz-with-gentoo-2.0.2 Timestamp of tree: Wed, 11 May 2011 08:15:01 +0000 ccache version 3.1.4 [enabled] app-shells/bash: 4.2_p10 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.1-r1, 3.1.3-r1 dev-util/ccache: 3.1.4 dev-util/cmake: 2.8.4-r1 sys-apps/baselayout: 2.0.2 sys-apps/openrc: 0.8.2-r1 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.68 sys-devel/automake: 1.11.1-r1 sys-devel/binutils: 2.21 sys-devel/gcc: 4.5.2 sys-devel/gcc-config: 1.4.1-r1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82 sys-kernel/linux-headers: 2.6.38 (virtual/os-headers) sys-libs/glibc: 2.13-r2 ACCEPT_KEYWORDS="x86 ~x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-O3 -march=pentium4 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O3 -march=pentium4 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs ccache distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="ftp://ftp.gtlib.gatech.edu/pub/gentoo http://gentoo.osuosl.org/ http://open-systems.ufl.edu/mirrors/gentoo " LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,--hash-style=gnu,-O1 -Wl,--as-needed" LINGUAS="en_US en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="X alsa berkdb bzip2 cairo caps cli cracklib crypt cups cxx dbus dri exif ffmpeg gdbm gif gpm gtk iconv java jpeg lcms mmx modules mp3 mudflap ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pcre perl png python readline session sse sse2 ssl svg sysfs theora threads tiff truetype unicode vorbis win32codecs x86 xcb xorg xulrunner zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LINGUAS="en_US en" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nv" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Yes, evidently gpg-agent doesn't support ECDSA yet. http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/command-ssh.c;h=ddf8e2cf65f2b1fea95f4344d4df834bfe1adf37;hb=HEAD#l218 gpg 2.1 is supposed to have support for ECC. Though no one has added support to command-ssh.c for it, I imagine it can't be that hard to implement.
Confirmation that it's happening: http://lists.gnupg.org/pipermail/gnupg-devel/2012-August/026845.html
This should be resolved as resolved/upstream as downstream cannot do anything to progress this, all development should be done at upstream.
Please discuss this with upstream, if fixed at upstream we can either bump version or back port patch (if trivial). Thanks.