interoperability issue with agent and ecdsa-sk keys

Matthieu Herrb matthieu at
Sat Jan 11 21:47:57 AEDT 2020


It seems that some versions of ssh-agent get confused by ECDSA-SK

>From my OpenBSD-current laptop, I'm trying to do remote system
adminstration  on a machine running Debian 8 with
the stock ssh package (OpenSSH_6.7p1 Debian-5+deb8u8, OpenSSL 1.0.2l
25 May 2017). I need access to a remote gitlab server to fetch files
with git, using an ED25519 key in my ssh-agent.

Once connected to the intermediate host, ssh-add -l doesn't see the
ED25519 key anymore. It says

ssh-add -l
2048 a0:80:0a:59:fe:5a:d9:f3:b1:e7:6c:57:32:8c:5c:e5 /home/matthieu/.ssh/id_rsa (RSA)
key_from_blob: invalid format

And my ED25519 key I use to authenticate against the gitlab server is
missing. Thus tring to connect to it fails.

If I remove the ECDSA-SK key from the agent before connecting to the
debian host, things work again.

Is this an oversight when the ECDSA-SK key type was added, or is it an
ancient bug in OpenSSH 6.7's agent implementation wrt unknown key
types that cannot be fixed ? (other than by updating SSH on the debian

Thanks for any help / suggestion / bug fixes...
Matthieu Herrb

More information about the openssh-unix-dev mailing list