bug#33165: GNOME keyring SSH agent => sign_and_send_pubkey: signing failed: agent refused operation

bug#33165: GNOME keyring SSH agent => sign_and_send_pubkey: signing failed: agent refused operation

[Henk Katerberg]

On GuixSD running Gnome: the command 'ssh <remote>' results in error
  sign_and_send_pubkey: signing failed: agent refused operation
and then falls back to password authentication.

(Work-around is to manually start the openssh agent 'eval $(ssh-agent)' after which 'ssh <remote>' is successfull. From this I conclude that the key pair used and the .ssh/config entry for <remote> are OK.)

bug#33165: GNOME keyring SSH agent => sign_and_send_pubkey: signing failed: agent refused operation

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 2066 bytes --]

Henk Katerberg <henk.katerberg@verum.com> writes:

> On GuixSD running Gnome: the command 'ssh <remote>' results in error
>   sign_and_send_pubkey: signing failed: agent refused operation
> and then falls back to password authentication.
>
> (Work-around is to manually start the openssh agent 'eval
> $(ssh-agent)' after which 'ssh <remote>' is successfull. From this I
> conclude that the key pair used and the .ssh/config entry for <remote>
> are OK.)

This sounds a lot like the issue I describe in my blog post here:

https://www.gnu.org/software/guix/blog/2018/customize-guixsd-use-stock-ssh-agent-everywhere/

From the blog post:

"Unfortunately, up until GNOME 3.28 (the current release), the GNOME
Keyring's SSH agent implementation was not as complete as the stock SSH
agent from OpenSSH. As a result, earlier versions of GNOME Keyring did
not support many use cases. This was a problem for me, since GNOME
Keyring couldn't read my modern SSH keys.

[...]

Happily, starting with GNOME 3.28, GNOME Keyring delegates all SSH agent
functionality to the stock SSH agent from OpenSSH. They have removed
their custom implementation entirely. This means that today, I could
solve my problem simply by using the most recent version of GNOME
Keyring. I'll probably do just that when the new release gets included
in Guix. However, when I first encountered this problem, GNOME 3.28
hadn't been released yet, so the only option available to me was to
customize GNOME Keyring or remove it entirely."

Since your work-around was the same as mine - use the stock OpenSSH
ssh-agent - you might find the blog post useful for your situation.

The version of GNOME currently packaged in Guix is 3.24.3 (see
gnu/packages/gnome.scm).  Because GNOME Keyring just wrap's OpenSSH's
ssh-agent starting with GNOME 3.28, it seems likely that upgrading to
GNOME 3.28 or later will fix your issue.  If your problem continues to
occur even after Guix has upgraded GNOME to 3.28 or later, then we will
need to investigate more.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

bug#33165: GNOME keyring SSH agent => sign_and_send_pubkey: signing failed: agent refused operation

[Ricardo Wurmus]

Chris Marusich <cmmarusich@gmail.com> writes:

> The version of GNOME currently packaged in Guix is 3.24.3 (see
> gnu/packages/gnome.scm).  Because GNOME Keyring just wrap's OpenSSH's
> ssh-agent starting with GNOME 3.28, it seems likely that upgrading to
> GNOME 3.28 or later will fix your issue.  If your problem continues to
> occur even after Guix has upgraded GNOME to 3.28 or later, then we will
> need to investigate more.

Just FYI: we have an upgrade to GNOME 2.28 on a separate branch that’s
waiting for the core-updates branch to be merged.

-- 
Ricardo