GNOME Bugzilla – Bug 571422
ssh agent stopped working after 2.25.90 upgrade
Last modified: 2009-09-01 12:18:52 UTC
the 2.25.4.1 to 2.25.90 gnome-keyring upgrade broke the ssh agent in jaunty
i have a dsa and rsa key and got http://bugzilla.gnome.org/show_bug.cgi?id=571060 ... now i removed the dsa key and re-logged into gnome and get: "Agent admitted failure to sign using the key." Full output: ssh -v senica -lalex OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /home/asac/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to senica [192.168.1.2] port 22. debug1: Connection established. debug1: identity file /home/asac/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2 Debian-9etch3 debug1: match: OpenSSH_4.3p2 Debian-9etch3 pat OpenSSH_4* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'senica' is known and matches the RSA host key. debug1: Found key in /home/asac/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/asac/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 533 Agent admitted failure to sign using the key. debug1: Offering public key: alex@hanson debug1: Authentications that can continue: publickey debug1: Offering public key: asac@hector debug1: Authentications that can continue: publickey debug1: No more authentication methods to try. Permission denied (publickey). (for the record: after unset SSH_AUTO_SOCK, I can log in by manually typing passphrase using id_rsa key.)
Same here. Funnily enough it still works on my i386, just not on my amd64. Let me know if I can do anything to debug.
Interesting. Are there any relevant lines in /var/log/auth.log?
the issue seems closed in 2.25.91, closing the bug
This bug still exists on AMD64 machines. As I noted here: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/328127
Again, are there any relevant lines from gnome-keyring-daemon in /var/log/auth.log?
Hi, No, nothing appears in /var/log/auth.log when attempting to login. Is there an extra 'debug' flag I should enable? Thanks, Anand
No any failures should usually go there, almost certain that errors go there Ubuntu. Can you create a new key which exhibits this problem? You could then attach the key to this bug report, and hopefully I can duplicate the problem locally.
Sure, I can create another key. But just a reminder. I use the same key on both an i386 and an x86_64 machine. The key was generated on the x86_64 and copied over to the i386 one. This exact key works perfectly fine on i386 machine. Only on x86_64 machine is the failure occuring. Not sure if that it had been clearly stated that the problem is specific to the architecture of the machine. Thanks, Anand
Perhaps this will help you find the bug? From https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/328127/comments/14 anand@saltatrix:~$ dpkg -l | grep gnome-keyring ii gnome-keyring 2.25.91-0ubuntu1 GNOME keyring services (daemon and tools) ii libgnome-keyring0 2.25.91-0ubuntu1 GNOME keyring services library ii libgnome-keyring1.0-cil 1.0.0~svn.r87622-1 CLI library to access the GNOME Keyring daem ii libpam-gnome-keyring 2.25.91-0ubuntu1 PAM module to unlock the GNOME keyring upon anand@saltatrix:~$ ssh-add -l 2048 1b:57:81:8d:62:93:f5:dc:39:08:74:02:63:12:f6:00 anand@saltatrix (RSA) anand@saltatrix:~$ uname -a Linux saltatrix 2.6.28-8-generic #24-Ubuntu SMP Wed Feb 18 20:36:18 UTC 2009 x86_64 GNU/Linux anand@saltatrix:~$ ssh W.X.Y.Z Agent admitted failure to sign using the key. Permission denied (publickey,keyboard-interactive). I get a pop-up box asking for the password but, as you can see, the agent already has the key. On i386 it works OK. anand@eve[~]% dpkg -l | grep gnome-keyring ii gnome-keyring 2.25.91-0ubuntu1 GNOME keyring services (daemon and tools) ii gnome-keyring-manager 2.20.0-1 keyring management program for the GNOME desktop ii libgnome-keyring-dev 2.25.91-0ubuntu1 Development files for GNOME keyring service ii libgnome-keyring0 2.25.91-0ubuntu1 GNOME keyring services library pi libgnome-keyring1.0-cil 1.0.0~svn.r87622-1 CLI library to access the GNOME Keyring daemon ii libpam-gnome-keyring 2.25.91-0ubuntu1 PAM module to unlock the GNOME keyring upon login anand@eve[~]% ssh-add -l 1024 3c:76:cb:dc:4f:02:fd:2a:70:c8:db:0a:06:cc:78:96 anand@eve (RSA) anand@eve[~]% uname -a Linux eve 2.6.28-7-generic #20-Ubuntu SMP Mon Feb 9 15:43:21 UTC 2009 i686 GNU/Linux anand@eve[~]% ssh W.X.Y.Z Last login: Mon Feb 16 11:03:31 2009 from 91.106.31.73 anand@fwb1:~> exit logout Connection to W.X.Y.Z closed. anand@eve[~]%
(In reply to comment #9) > Sure, I can create another key. > > But just a reminder. > > I use the same key on both an i386 and an x86_64 machine. Anand, yes I understand. Obviously I've tested it on both i386 and x86_64 with both DSA and RSA and it works for me. So I'd like to figure out if perhaps it only happens for certain kinds of keys (type, sizes, lock password, etc.). Andreas, yes that's the same bug, but again not the information that I need. I'm really interested in more specific failures, or an SSH key that'll help me solve the problem: * If gnome-keyring-daemon is crashing, I need a backtrace. * If there's lines in /var/log/auth.log or ~/.xsession-errors I need those. * Or I need a key that I can use to duplicate the problem.
Also, gnome-keyring-2.25.92 was just released with tons of fixes and fine tuning. Do you still see the problem there?
Hi, No - have just upgraded to: ii libgnome-keyring0 2.25.92-0ubuntu1 And the issue is resolved for me. I think Sebastian was a little hasty to say it was fixed earlier on. Thanks, Anand
I still need the information requested in Comment #11
OK. I am pasting here below what I have just posted on launchpad (https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/328127): I am experiencing the same issue by generating the private rsa key from seahorse and from inside the cli as well. Seahorse and ssh-copy-id both copy the key to the remote user, but every time I try to connect, the error message gets shown. No errors get logged inside my home/.xsession-errors, nor in /var/log/auth.log Here follow my two keys: -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEArOElXA9OgEITnk43htSTVA4MKCq3fgx+IbciDhy9RIdYP62H qWV6+X3UOQEP0QTMP+mDvs2p88WrJ+ukNCAA41qxbJb8j199GsGp3o8InjOh6yCp Gmwg5DKynRrRv2ZIv4zlPx+ZxZx9WAskT50Tu7Op2QW3MKLCLNdB3XGevOjUhniM wkEI4GxA/BI9dOiM097GjmzAffB103NsIxknfvgNaZ5oI5Z6PHej/QYDxn2MAQ3i 4IEST791YssFIq6bH4oWiwMvqIySPBM2xAf8HOvxphZ4UtkiV0WrFXoNJvumPnUA QNd+pvZ/W+iSW+38/0jeD/uVPmdlg4GPysUNNwIBIwKCAQEAmR8vt/BM2AACv2nZ aMro5AxxKuQBm4doZwFKDH/a1kv9tL5E9R9eSrFG8KkrRBoxP+wVml5jVEFdFLrE ozJJ7fE+D7juUxoPuJzm6bHjD8dU5jLe64RXpYv9SVJEv3faCL6fKUff+CuE9jXB E1CccwzYQ+B9rrwLEcX4gk6xKvimM90r6wP4kEiZ9PIpj3bee3epDCQfgIYxDTpV +mbAg0XtIcjK9PUQYD6XQx7oHzxROAdy3F9xrhN5DhJx1Kj5xadyR9eIy5nVZQf1 RXCScG51Qz/l76+7Ma/oh144liaDkPYu0Br/HmiyOwE+IOELbO/TQc3nFMzUz1Y9 c/qBIwKBgQDdD4VtIS8nku1Harc59Ay0E+NdfJQb5mghscJLkiqW7XLpiWaAEulz FAsGSjiw/zjfKHLre35u8slE+q1i61/sQcoaoMi4Bb8sd5AYPQ3TFp1TbbG+Kw0V gOv2LglW/mEf3X7lurpJ5K7LNKH4piklNWjT9zeRNB863Abe+LMEIwKBgQDINCK0 POQbPz2FjVHc1p/2VZ2ZsY7TmxHar6kSEx+3Nx1quhMj89poSCXy6yZMtIS0PoIK W6+nJM+v/WOl05gpgrib67J6F8TgMWmeQNXmyW7PgRyVhInF4FEJNdTI2erplAEv /kDKZiQUNzzwd9+I0wLRQhVZ+w5TKL579EnJ3QKBgQCRRLbEDn4SsQJTgKRKp7CT mApwolKzP6OD2zaJbq5F7H62uWCdTkGjZPFNRreKQVFCMIYIdbl8G+NZNwQ5sJ4e 6WeN119UW4xByumphzT4bfJbZVeLmKIys85CsInLc/auij1yZMOPpOfknu4YbTD7 MbnqYKDbwyp3It/xnB3eJQKBgQCDj/mMYodFGu3qDGj+1i6akAh68QYWBtE378bf /fBFMtjRGzEmQSkf9OW846t0PByw9eBtNO/Fm9jv/kjMDrRzDMJ1FzrFQtHVJ8kQ OTwbUSuPrJ3BVxi1O6L3bISD/OrUAiyqgoJZHoy809eWtSx+fAkqbUE7IVKOaztY xRqL9wKBgEbILKNU+y5S2FBVeuEe58zXiCt00/DQXVIKc/W2V74pFrXwHFAe6n5e 2pvSjUCw+ybJHs433mz1a98WaeTKl42kj3J4QilCa9TZA59DJAgXN5x5ExAaZScC p4h8yY4ULixqe1h++hbFY924i2RjP9+DFdb9S6JXt04GrSV8DRwf -----END RSA PRIVATE KEY----- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArOElXA9OgEITnk43htSTVA4MKCq3fgx+IbciDhy9RIdYP62HqWV6+X3UOQEP0QTMP+mDvs2p88WrJ+ukNCAA41qxbJb8j199GsGp3o8InjOh6yCpGmwg5DKynRrRv2ZIv4zlPx+ZxZx9WAskT50Tu7Op2QW3MKLCLNdB3XGevOjUhniMwkEI4GxA/BI9dOiM097GjmzAffB103NsIxknfvgNaZ5oI5Z6PHej/QYDxn2MAQ3i4IEST791YssFIq6bH4oWiwMvqIySPBM2xAf8HOvxphZ4UtkiV0WrFXoNJvumPnUAQNd+pvZ/W+iSW+38/0jeD/uVPmdlg4GPysUNNw== mylocaluser@client to myremoteuser@server client side apps: libryptui0 2.26.1-0ubuntu1 openssh-blacklist 0.4.1 openssh-blacklist-extra 0.4.1 openssh-client 1:5.1p1-5ubuntu1 openssh-server 1:5.1p1-5ubuntu1 seahorse 2.26.1-0ubuntu1 seahorse-plugins 2.26.1-0ubuntu1 ssh-askpass-gnome 1:5.1p1-5ubuntu1 server side apps: libryptui0 2.26.1-0ubuntu1 libgnome-keyring0 2.26.1-0ubuntu1 libpam-gnome-keyring 2.26.1-0ubuntu1 openssh-client 1:5.1p1-5ubuntu1 openssh-server 1:5.1p1-5ubuntu1 seahorse 2.26.1-0ubuntu1 seahorse-plugins 2.26.1-0ubuntu1 ssh 1:5.1p1-5ubuntu1 ssh-askpass-gnome 1:5.1p1-5ubuntu1 HTH
The key attached to #15 (RSA, no passphrase) works for me with 2.26.0 on amd64. I get the "agent admitted failure to sign using the key" message with my own private key. P.S.: I can't see a difference between this bug and http://bugzilla.gnome.org/show_bug.cgi?id=576700 . There's a key-less pair attached to that bug that does fail for me (albeit with no "agent admitted failure" message).
(In reply to comment #16) > The key attached to #15 (RSA, no passphrase) works for me with 2.26.0 on amd64. So this seems to be a regression bug. I am on Jaunty amd64 running version 2.26.1
I do confirm that - as suggested in http://bugzilla.gnome.org/show_bug.cgi?id=576700 - issuing export "SSH_AUTH_SOCK=" just before the command "ssh myremoteuser@server" makes the connection act as expected.
Could you try this with 2.27.91 or later? Now that we've fixed bug #576700, and can understand why that was failing, I believe this may be a duplicate.
the ubuntu bug subscribers seem to confirm it's working now