GNOME keyring SSH agent => sign_and_send_pubkey: signing failed: agent refused operation

  • Open
  • quality assurance status badge
Details
3 participants
  • Chris Marusich
  • Henk Katerberg
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Henk Katerberg
Severity
normal
H
H
Henk Katerberg wrote on 26 Oct 2018 10:51
(name . bug-guix@gnu.org)(address . bug-guix@gnu.org)
743863752d3942c2a73477794d223b9b@mx.verum.com
On GuixSD running Gnome: the command 'ssh <remote>' results in error
sign_and_send_pubkey: signing failed: agent refused operation
and then falls back to password authentication.

(Work-around is to manually start the openssh agent 'eval $(ssh-agent)' after which 'ssh <remote>' is successfull. From this I conclude that the key pair used and the .ssh/config entry for <remote> are OK.)
C
C
Chris Marusich wrote on 30 Nov 2018 03:00
(name . Henk Katerberg)(address . henk.katerberg@verum.com)(address . 33165@debbugs.gnu.org)
87d0qncojz.fsf@gmail.com
Henk Katerberg <henk.katerberg@verum.com> writes:

Toggle quote (9 lines)
> On GuixSD running Gnome: the command 'ssh <remote>' results in error
> sign_and_send_pubkey: signing failed: agent refused operation
> and then falls back to password authentication.
>
> (Work-around is to manually start the openssh agent 'eval
> $(ssh-agent)' after which 'ssh <remote>' is successfull. From this I
> conclude that the key pair used and the .ssh/config entry for <remote>
> are OK.)

This sounds a lot like the issue I describe in my blog post here:


From the blog post:

"Unfortunately, up until GNOME 3.28 (the current release), the GNOME
Keyring's SSH agent implementation was not as complete as the stock SSH
agent from OpenSSH. As a result, earlier versions of GNOME Keyring did
not support many use cases. This was a problem for me, since GNOME
Keyring couldn't read my modern SSH keys.

[...]

Happily, starting with GNOME 3.28, GNOME Keyring delegates all SSH agent
functionality to the stock SSH agent from OpenSSH. They have removed
their custom implementation entirely. This means that today, I could
solve my problem simply by using the most recent version of GNOME
Keyring. I'll probably do just that when the new release gets included
in Guix. However, when I first encountered this problem, GNOME 3.28
hadn't been released yet, so the only option available to me was to
customize GNOME Keyring or remove it entirely."

Since your work-around was the same as mine - use the stock OpenSSH
ssh-agent - you might find the blog post useful for your situation.

The version of GNOME currently packaged in Guix is 3.24.3 (see
gnu/packages/gnome.scm). Because GNOME Keyring just wrap's OpenSSH's
ssh-agent starting with GNOME 3.28, it seems likely that upgrading to
GNOME 3.28 or later will fix your issue. If your problem continues to
occur even after Guix has upgraded GNOME to 3.28 or later, then we will
need to investigate more.

--
Chris
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlwAmbAACgkQ3UCaFdgi
Rp1mag/9EeVwjeZUS829IFlY6OwY50Xowj8igaq2b47EnXPbZMAiwVOUw0uqPiBf
B2wNXQ2T/5Lj2/rBuRyfiFENnxqLtWnVmvAx9E/6bIeZRK4A+Zwfe0YvWhGRWyTp
mOMUrqCluT+3N+uqSb+eT84RhLaCQJ6IkflGotGZbB4+Ll2mnhjaoeQ4M7cVTHHk
8eHJso9PRQGMjYRMJnSm7+hGlqH/hgvH8wfZmUy8XwEhMJFM/Avugisb3sB5a1jS
+s8aQp5mXFbtfnLKBnYJvwEU8VNfX2ir92j+tCJTakHLmut5TWyw64fMHzLrG0YW
yDWdHB7mS5VFL0MR5HQm6Q1yhCynLLR1gQ0K16fOv5naQ/Gz53aC3OW6OPAsqPUh
U4siE8eUyjTDC43svcv2nSr+3Oh3VlCjGTceF1690IsfhDyh4MYB8Jf2FTTYc30W
rzHZ1+i30hdSQFKscYO/KHXR4vH2wCtzSN061dPPUyr4yrGgPGyylkB3Dwz+FGz2
X3wJPq+xjtyrSzLzYMpoari9Uv9f98yc9JJ5Xorcc+wnwznlI8BKEN09pVUoSXc7
1LKsMeOV7GkG2j4Q9gbvoEVLV4kH4cUTXKXs/YiacRz4iU+wUXpF6/UrUH1YsNS0
l0w5FcTeeCiChgO2WjDf2LlhWAZEX17iHh+47mLLYXawxPEHfwo=
=5/6D
-----END PGP SIGNATURE-----

R
R
Ricardo Wurmus wrote on 30 Nov 2018 04:46
(name . Chris Marusich)(address . cmmarusich@gmail.com)
87a7lr2pnt.fsf@elephly.net
Chris Marusich <cmmarusich@gmail.com> writes:

Toggle quote (7 lines)
> The version of GNOME currently packaged in Guix is 3.24.3 (see
> gnu/packages/gnome.scm). Because GNOME Keyring just wrap's OpenSSH's
> ssh-agent starting with GNOME 3.28, it seems likely that upgrading to
> GNOME 3.28 or later will fix your issue. If your problem continues to
> occur even after Guix has upgraded GNOME to 3.28 or later, then we will
> need to investigate more.

Just FYI: we have an upgrade to GNOME 2.28 on a separate branch that’s
waiting for the core-updates branch to be merged.

--
Ricardo
?