From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id gJq7ARD/qWLrqAAAbAwnHQ (envelope-from ) for ; Wed, 15 Jun 2022 17:47:28 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id kKfvABD/qWJKxQAAG6o9tA (envelope-from ) for ; Wed, 15 Jun 2022 17:47:28 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 942F12275B for ; Wed, 15 Jun 2022 17:47:27 +0200 (CEST) Received: from localhost ([::1]:57124 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1o1VEs-0004fE-Am for larch@yhetil.org; Wed, 15 Jun 2022 11:47:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39276) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o1VEU-0004UW-NE for bug-guix@gnu.org; Wed, 15 Jun 2022 11:47:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:45711) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1o1VEU-0005ZD-Et for bug-guix@gnu.org; Wed, 15 Jun 2022 11:47:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1o1VEU-0003RQ-Df for bug-guix@gnu.org; Wed, 15 Jun 2022 11:47:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#54950: Connecting to remote guix daemon with encrypted SSH key fails Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 15 Jun 2022 15:47:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54950 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Arun Isaac Cc: 54950@debbugs.gnu.org Received: via spool by 54950-submit@debbugs.gnu.org id=B54950.165530801513214 (code B ref 54950); Wed, 15 Jun 2022 15:47:02 +0000 Received: (at 54950) by debbugs.gnu.org; 15 Jun 2022 15:46:55 +0000 Received: from localhost ([127.0.0.1]:39608 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o1VEM-0003R3-Sx for submit@debbugs.gnu.org; Wed, 15 Jun 2022 11:46:55 -0400 Received: from mail-qk1-f181.google.com ([209.85.222.181]:43798) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o1VEI-0003Qo-9b for 54950@debbugs.gnu.org; Wed, 15 Jun 2022 11:46:53 -0400 Received: by mail-qk1-f181.google.com with SMTP id p63so9001725qkd.10 for <54950@debbugs.gnu.org>; Wed, 15 Jun 2022 08:46:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=q72UUgNIDAWLw+IIetjfhAWpKddjbkqj+T3o9USl4zs=; b=eQP2jzNGEOUncHDemzjpXvST0xdeGk1+y3hhTfQsvhN3NBdYl8jS/s1VtMkfogw2Hq 5xF9pte7cg25E7OQJKJYgyXFSCehqq1v7DJ97uNwffikSb8Hl25/oWTcbi42tFZQCtgy DEfUzIgQjrBeF66n28McjdVTjEaSVY61P83VTv2Df+U8aaSgBnFvwZBOFpt3Sw+K7ycZ OdnadjkfGhhBxUxycNGZLA9iqJm9Sh/IbUiz4nUmHuylgbF0szpqy8OJ3W7SAOmQAZNv +unSt9nqCWv4aO+bI9enMOwhUHev6hO1Sho9Eyzv37ciXucVRx3/IgEkSFOydDCiMx8S kbNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=q72UUgNIDAWLw+IIetjfhAWpKddjbkqj+T3o9USl4zs=; b=0WlUnOuacy7FX2Lg1kSFZCjFAphOZ1OrwOY+s5c2h1r82898jf1bcXo497YJ2sADg1 9V1EtWa0t/qe7lheeUpg1xW82MZ6s+LI0jEt6JGoVIX1p8YqSJKrr6Bh7eIy4Lf53AIK OlUb2lCGoWM0q1/d34CsGE7OZHrTqtMwb29OWQaFIVh/AD53LYPMBX7vbilmUfd9tEqX e90uHquQB6XA6x3I6W1nSuM98OQjgKY+tDKC0rIjwHnbNiQXruPuSLtMMEwhWQmTITFW OoHaA5npYevD0sVJlh+AeBqTrzEX2VXuXEeh1qp0HfXGNlurb09s5f/xXc1QLIGuTf1C gMTg== X-Gm-Message-State: AJIora/7HLb6FLFnKBqXMX5B+rwKrhoyf2XZp5Y2CvRbKUMuZH4LzF7n beZLG4yoKlPei82jhfzsaU7WnIhtU6RcDQ== X-Google-Smtp-Source: AGRyM1vbPujWN+gtSVLgQgUtySY9ZrVQHGSLo6Ba7/OcKFaDAUnq9i4IWKZejmKo72QPF0UYm6Z5kQ== X-Received: by 2002:a05:620a:25c7:b0:699:be71:59ee with SMTP id y7-20020a05620a25c700b00699be7159eemr258844qko.222.1655308004150; Wed, 15 Jun 2022 08:46:44 -0700 (PDT) Received: from hurd (dsl-10-149-53.b2b2c.ca. [72.10.149.53]) by smtp.gmail.com with ESMTPSA id bi3-20020a05620a318300b006a700aad48bsm11801246qkb.91.2022.06.15.08.46.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jun 2022 08:46:43 -0700 (PDT) From: Maxim Cournoyer References: <87pmli1u3e.fsf@systemreboot.net> <87a6amkie3.fsf@gmail.com> <87sfo630c3.fsf@systemreboot.net> Date: Wed, 15 Jun 2022 11:46:42 -0400 In-Reply-To: <87sfo630c3.fsf@systemreboot.net> (Arun Isaac's message of "Wed, 15 Jun 2022 12:00:36 +0530") Message-ID: <8735g6dj4t.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1655308047; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=q72UUgNIDAWLw+IIetjfhAWpKddjbkqj+T3o9USl4zs=; b=r4PoP4eDRqENOlBhk3zY2C6kIp+CPH7n6LcoYLtCJCBhAvnXG34v5b+ei1yhd+QcH59b7t JLdXw76cDmQ8SvwRbXz7a4deKHgIJnHv9xE/y8iYIctCUvfsH64BTZbVf2ueOEvzvarOlZ u2XlSN7z+gjkFDaponCesL+/NBxLc21nXdiP636Tte16ZHjR5ZTAaTwWXgowK6pNLbJWCZ 9WC3EHGurcY3Jrqt+aaMpz6fTzKyFkCywo4+dOKD/f2P2mAJCvUR57B6lIDqkamE4LVY0f gf13V+s5naovOmvM0Y9vAT/E5aufuIRO7IZnNbiwEKsYj4AUmwY9nt8jQfIC/w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1655308047; a=rsa-sha256; cv=none; b=AhOIBy/faWxWuzl44rZBRs2IpL4RDRpKMYGftFTj3lr4iDi3zzLQs5E0UQyBBjp++LlUr0 UpaDCdAD2LQPH73bDYf6aNsT+3Qreyh2u+9cyAkxRgq1wvuaQW0/SLv7PZMY11pobA1hG5 EKTdS5LGRlJ4Ep8qyPwx7FttONUurH2mRhI1GzM8OStmXCg6hFI5/fopoEYMxETcuz3DrU +gl5h4G3tWpNeLlHyFZQ2lJ1jJguxSZm66tw43zRgSqsmVqQGW5PZpc6EfZwafUFNBdixJ CuvIBLqZMALyFiek9lBD9U61X+kR9AEcavFx1fYI+t0xq9c9dtnvS+bg7mUENQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=eQP2jzNG; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 4.91 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=eQP2jzNG; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 942F12275B X-Spam-Score: 4.91 X-Migadu-Scanner: scn0.migadu.com X-TUID: 3gXWRBvU/MBp Hi Arun, Arun Isaac writes: > Hi Maxim, > >> I suspect this is due to changes in OpenSSH *client* that now refuse >> older RSA keys for security reasons. > > This doesn't seem to be. Here's why: I have another machine that I ssh > to using an unencrypted RSA key. I am able to connect to the Guix daemon > on that machine without any trouble. What's more, the machine with an > encrypted key, whose Guix daemon I'm unable to connect to, uses an ECDSA > key. > >> Could you retry with the following option: 'StrictHostKeyChecking no' >> applied to the host in your ~/.ssh/config? > > Adding 'StrictHostKeyChecking no' makes no difference. The unencrypted > key still works, and the encrypted doesn't. Thanks for checking. Other things to try: Kill pinentry, which is potentially waiting for the passphrase on the wrong X11 display or tty, for example if you accessed the machine via SSH: killall pinentry I don't know which ssh agent you use; I use the 'gpg-agent' provided by GnuPG. info '(gnupg) Common Problems' has this: * SSH hangs while a popping up pinentry was expected SSH has no way to tell the gpg-agent what terminal or X display it is running on. So when remotely logging into a box where a gpg-agent with SSH support is running, the pinentry will get popped up on whatever display the gpg-agent has been started. To solve this problem you may issue the command echo UPDATESTARTUPTTY | gpg-connect-agent and the next pinentry will pop up on your display or screen. However, you need to kill the running pinentry first because only one pinentry may be running at once. If you plan to use ssh on a new display you should issue the above command before invoking ssh or any other service making use of ssh. It seems this gotcha would also apply to other SSH agents. I've had this problem in the past, when SSH'in to a remote machine that had a graphical session running, and killing the running pinentry and issuing the above 'echo UPDATESTARTUPTTY | gpg-connect-agent' command did the trick. Let me know if this helps. Maxim