Join Log in
Score:2
tcquinn avatar Ubuntu

Ubuntu 22.04 LTS: SSH fails with `sign_and_send_pubkey: signing failed: agent refused operation`

gw flag
tcquinn

I think my question is going to illustrate that I don't understand the relationship between ssh, ssh-agent, and gnome-keyring, but I've tried all of the fixes suggested in response to similar questions and I'm still getting behavior I don't expect.

I have two keypairs in my ~/.ssh directory, a 2048 bit RSA key and a ED25519 key. I believe the ~/.ssh directory and the key files have the correct permissions:

drwx------  2 tcquinn tcquinn 4096 Feb 23 11:00 .
-rw-------  1 tcquinn tcquinn  484 Dec  8 14:24 id_ed25519
-rw-r--r--  1 tcquinn tcquinn  113 Dec  8 14:24 id_ed25519.pub
-rw-------  1 tcquinn tcquinn 1852 Dec 10 09:15 id_rsa
-rw-r--r--  1 tcquinn tcquinn  398 Jul 16  2020 id_rsa.pub

When I boot into the OS (Ubuntu 22.04 LTS), both keys are already added to ssh-agent, at least in the sense that ssh-add -l and ssh-add -L display information for both keys.

However, when I attempt to ssh to a machine that has only the RSA key in its ~/.ssh/authorized_keys, I get the message

sign_and_send_pubkey: signing failed for RSA "/home/[USERNAME]/.ssh/id_rsa" from agent: agent refused operation

and then I get prompted for my password (which I don't want to use).

Because the RSA key is already added to ssh-agent, I would expect to be logged in without further prompting.

Some of the answers to similar questions suggest completely removing gnome-keyring from the system, which seems...drastic?

In case it's relevant:

(1) If I watch the systemctl logs with journalctl -f, at the moment I try to ssh, I see the message:

Feb 28 17:34:47 [MACHINE_NAME] gnome-keyring-daemon[2099]: the /usr/bin/ssh-add command failed: Child process exited with code 1

(2) If I ask for verbose output from ssh with ssh -vvv, the relevant snippet of the output appears to be:

debug1: Offering public key: /home/[USERNAME]/.ssh/id_rsa RSA SHA256:[HASH] agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/[USERNAME]/.ssh/id_rsa RSA SHA256:[HASH] agent
debug3: sign_and_send_pubkey: using publickey with RSA SHA256:[HASH]
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:[HASH]
sign_and_send_pubkey: signing failed for RSA "/home/[USERNAME]/.ssh/id_rsa" from agent: agent refused operation

(3) If I then "manually" add the keys to ssh-agent using ssh-add (with no arguments), I get prompted for the passphrase on the keys, it successfully adds both of them, and I can then ssh without being prompted for a password, as expected.

(4) Immediately after boot, if I attempt to ssh to a machine that has the ED25519 key in its ~/.ssh/authorized_keys file, it connects without prompting for a password, as expected.

606
0 + 3
ssh
hr flag
steeldriver
I wonder if gnome-keyring has saved an old / incorrect passphrase for the key?
0
Reply
tcquinn avatar
gw flag
tcquinn
@steeldriver Entirely possible! But it doesn't seem to get updated when I then "manually" add the keys using `ssh-add` (perhaps because this updates the passphrase in `ssh-agent` but not in `gnome-keyring`? Or something?) You can see that I don't really understand how `ssh-agent` and `gnome-keyring` work together.
0
Reply
hr flag
steeldriver
You and me both! There's some info on archwiki that suggest you can [flush](https://wiki.archlinux.org/title/GNOME/Keyring#Flushing_passphrases) passphrases and then re-add them with seahorse's `ssh-askpass` (although the path on Ubuntu appears to be `/usr/libexec/seahorse/ssh-askpass`)
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.