[Bug 1812247] Re: ssh-agent fails for ssh-add -c: agent refused operation

schamane 1812247 at bugs.launchpad.net
Sat Jan 26 21:51:08 UTC 2019 

@paelzer, you put a lot of work into this. Much appreciated! Thanks a
lot!

There's an important difference between your approach and mine: You
start another ssh-agent within a terminal that you do not leave. So,
this ssh-agent is available, it's plain OpenSSH ssh-agent, nothing seems
to interfere, and everything works fine. I can confirm this.

However, an ssh-agent is already running, started by the X (or GNOME)
session. And that's the ssh-agent we want to use so that the keys are
available to all programs started by the window manager (e.g. a file
manager accessing sftp://...).

Thanks to your input, though, and thanks to the fact that I got a new
VirtualBox set up, I found that it's not just `ssh-add -c` that is
failing. ssh-askpass itself (tried with the plain X11 one and the GNOME
version) is not shown when it should.

So, I got a step further but, unfortunately, I still don't know where
the actual bug is located. I am confused by a (new?) feature of GNOME
keyring (I think) that makes locally saved SSH keys available and
presents a full-screen dialog to ask for the password of the key.

There are 2 big problems with this:

(1) It works only for locally saved keys, but we want ssh-agent to
receive keys via ssh-add from anywhere (e.g. a remote server via `ssh
-A`).

(2) This dialog is not ssh-askpass. So, if ssh-askpass is supposed to
work it does not. Hence, `ssh-add -c` and key confirmations fail, too.

I am attaching my full console session in Ubuntu 18.04.1 for reference
and details.

** Attachment added: "ssh-agent-askpass-bug.txt"
   https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1812247/+attachment/5232794/+files/ssh-agent-askpass-bug.txt

** Tags added: bionic

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1812247

Title:
  ssh-askpass(-gnome): GNOME fails to show dialog

Status in openssh package in Ubuntu:
  New

Bug description:
  Ubuntu uses ssh-agent from OpenSSH which supports adding keys by means
  of `ssh-add -c` indicating that keys "should be subject to
  confirmation before being used for authentication. In Ubuntu 18.10
  this fails with the error

    sign_and_send_pubkey: signing failed: agent refused operation

  To reproduce I used a Ubuntu 18.10 Live "CD", apt-get update && apt-
  get upgrade, log out and log back in (these steps are not required but
  we want to use an up-to-date system). Then:

  $ sudo apt-get install ssh-askpass-gnome
  (...)
  $ # verify that ssh-askpass shows a popup, confirm with Enter
  $ ssh-askpass ; echo $?

  0
  $ ssh-keygen
  (...)
  $ ssh-add -D
  All identities removed.
  $ ssh-copy-id $sshuser@$sshserver
  (...)
  Number of key(s) added: 1
  (...)
  $ ssh $sshuser@$sshserver uname -a
  Linux server 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
  $ ssh-add -d
  Identity removed: /home/ubuntu/.ssh/id_rsa (ubuntu at ubuntu)
  $ ssh-add -c
  Enter passphrase for /home/ubuntu/.ssh/id_rsa (will confirm each use): 
  Identity added: /home/ubuntu/.ssh/id_rsa (/home/ubuntu/.ssh/id_rsa)
  The user must confirm each use of the key
  $ ssh $sshuser@$sshserver uname -a
  sign_and_send_pubkey: signing failed: agent refused operation
  sshuser at server's password: [^C'ed]

  $ ssh-add -l
  2048 SHA256:yvAFsTpkNWnlrQyCp+tWV83dIF8Je3AksM0o+Ajvyyc /home/ubuntu/.ssh/id_rsa (RSA)

  So, our key is loaded, ssh-askpass is working (also confirmed with
  `ssh-add -c </dev/null`), but authentication fails with
  "sign_and_send_pubkey: signing failed: agent refused operation".

  ProblemType: Bug
  DistroRelease: Ubuntu 18.10
  Package: gnome-session-bin 3.30.0-0ubuntu4
  ProcVersionSignature: Ubuntu 4.18.0-10.11-generic 4.18.12
  Uname: Linux 4.18.0-10-generic x86_64
  ApportVersion: 2.20.10-0ubuntu13.1
  Architecture: amd64
  CasperVersion: 1.399
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Jan 17 17:14:35 2019
  ExecutablePath: /usr/lib/gnome-session/gnome-session-binary
  LiveMediaBuild: Ubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.3)
  ProcEnviron:
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=C.UTF-8
   SHELL=/bin/bash
  SourcePackage: gnome-session
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1812247/+subscriptions

More information about the foundations-bugs mailing list