From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Arun Isaac <arunisaac@systemreboot.net>
Cc: 54950@debbugs.gnu.org
Subject: bug#54950: Connecting to remote guix daemon with encrypted SSH key fails
Date: Wed, 15 Jun 2022 11:46:42 -0400 [thread overview]
Message-ID: <8735g6dj4t.fsf@gmail.com> (raw)
In-Reply-To: <87sfo630c3.fsf@systemreboot.net> (Arun Isaac's message of "Wed, 15 Jun 2022 12:00:36 +0530")
Hi Arun,
Arun Isaac <arunisaac@systemreboot.net> writes:
> Hi Maxim,
>
>> I suspect this is due to changes in OpenSSH *client* that now refuse
>> older RSA keys for security reasons.
>
> This doesn't seem to be. Here's why: I have another machine that I ssh
> to using an unencrypted RSA key. I am able to connect to the Guix daemon
> on that machine without any trouble. What's more, the machine with an
> encrypted key, whose Guix daemon I'm unable to connect to, uses an ECDSA
> key.
>
>> Could you retry with the following option: 'StrictHostKeyChecking no'
>> applied to the host in your ~/.ssh/config?
>
> Adding 'StrictHostKeyChecking no' makes no difference. The unencrypted
> key still works, and the encrypted doesn't.
Thanks for checking. Other things to try:
Kill pinentry, which is potentially waiting for the passphrase on the
wrong X11 display or tty, for example if you accessed the machine via
SSH:
killall pinentry
I don't know which ssh agent you use; I use the 'gpg-agent' provided by
GnuPG. info '(gnupg) Common Problems' has this:
* SSH hangs while a popping up pinentry was expected
SSH has no way to tell the gpg-agent what terminal or X display it
is running on. So when remotely logging into a box where a
gpg-agent with SSH support is running, the pinentry will get popped
up on whatever display the gpg-agent has been started. To solve
this problem you may issue the command
echo UPDATESTARTUPTTY | gpg-connect-agent
and the next pinentry will pop up on your display or screen.
However, you need to kill the running pinentry first because only
one pinentry may be running at once. If you plan to use ssh on a
new display you should issue the above command before invoking ssh
or any other service making use of ssh.
It seems this gotcha would also apply to other SSH agents. I've had
this problem in the past, when SSH'in to a remote machine that had a
graphical session running, and killing the running pinentry and issuing
the above 'echo UPDATESTARTUPTTY | gpg-connect-agent' command did the
trick.
Let me know if this helps.
Maxim
next prev parent reply other threads:[~2022-06-15 15:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-15 11:09 bug#54950: Connecting to remote guix daemon with encrypted SSH key fails Arun Isaac
2022-06-08 20:30 ` Maxim Cournoyer
2022-06-15 6:30 ` Arun Isaac
2022-06-15 15:46 ` Maxim Cournoyer [this message]
2022-06-16 6:34 ` Arun Isaac
2022-06-16 14:01 ` Maxim Cournoyer
2022-06-17 6:52 ` Arun Isaac
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8735g6dj4t.fsf@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=54950@debbugs.gnu.org \
--cc=arunisaac@systemreboot.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).