unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#54950: Connecting to remote guix daemon with encrypted SSH key fails
@ 2022-04-15 11:09 Arun Isaac
  2022-06-08 20:30 ` Maxim Cournoyer
  0 siblings, 1 reply; 7+ messages in thread
From: Arun Isaac @ 2022-04-15 11:09 UTC (permalink / raw)
  To: 54950


I have an SSH key encrypted with a passphrase. When I try connecting to
a remote guix daemon with that encrypted SSH key, it fails with the
following error message.

--8<---------------cut here---------------start------------->8---
$ GUIX_DAEMON_SOCKET=ssh://foo guix build -v3 hello
guix build: error: SSH authentication failed for 'foo': Access
denied for 'publickey'. Authentication that can continue: publickey
--8<---------------cut here---------------end--------------->8---

I expected some kind of prompt asking me for the passphrase, but did not
get any. The same command works if I set up ssh-agent and add the
relevant key to it.




^ permalink raw reply	[flat|nested] 7+ messages in thread

* bug#54950: Connecting to remote guix daemon with encrypted SSH key fails
  2022-04-15 11:09 bug#54950: Connecting to remote guix daemon with encrypted SSH key fails Arun Isaac
@ 2022-06-08 20:30 ` Maxim Cournoyer
  2022-06-15  6:30   ` Arun Isaac
  0 siblings, 1 reply; 7+ messages in thread
From: Maxim Cournoyer @ 2022-06-08 20:30 UTC (permalink / raw)
  To: Arun Isaac; +Cc: 54950

Hi,

Arun Isaac <arunisaac@systemreboot.net> writes:

> I have an SSH key encrypted with a passphrase. When I try connecting to
> a remote guix daemon with that encrypted SSH key, it fails with the
> following error message.
>
> $ GUIX_DAEMON_SOCKET=ssh://foo guix build -v3 hello
> guix build: error: SSH authentication failed for 'foo': Access
> denied for 'publickey'. Authentication that can continue: publickey
>
> I expected some kind of prompt asking me for the passphrase, but did not
> get any. The same command works if I set up ssh-agent and add the
> relevant key to it.

I suspect this is due to changes in OpenSSH *client* that now refuse
older RSA keys for security reasons.

Could you retry with the following option: 'StrictHostKeyChecking no'
applied to the host in your ~/.ssh/config?

If that's indeed the problem, you'll want to upgrade your key to
something more modern like ed25519.

I hope that helps,

Maxim




^ permalink raw reply	[flat|nested] 7+ messages in thread

* bug#54950: Connecting to remote guix daemon with encrypted SSH key fails
  2022-06-08 20:30 ` Maxim Cournoyer
@ 2022-06-15  6:30   ` Arun Isaac
  2022-06-15 15:46     ` Maxim Cournoyer
  0 siblings, 1 reply; 7+ messages in thread
From: Arun Isaac @ 2022-06-15  6:30 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: 54950


Hi Maxim,

> I suspect this is due to changes in OpenSSH *client* that now refuse
> older RSA keys for security reasons.

This doesn't seem to be. Here's why: I have another machine that I ssh
to using an unencrypted RSA key. I am able to connect to the Guix daemon
on that machine without any trouble. What's more, the machine with an
encrypted key, whose Guix daemon I'm unable to connect to, uses an ECDSA
key.

> Could you retry with the following option: 'StrictHostKeyChecking no'
> applied to the host in your ~/.ssh/config?

Adding 'StrictHostKeyChecking no' makes no difference. The unencrypted
key still works, and the encrypted doesn't.

Cheers!
Arun




^ permalink raw reply	[flat|nested] 7+ messages in thread

* bug#54950: Connecting to remote guix daemon with encrypted SSH key fails
  2022-06-15  6:30   ` Arun Isaac
@ 2022-06-15 15:46     ` Maxim Cournoyer
  2022-06-16  6:34       ` Arun Isaac
  0 siblings, 1 reply; 7+ messages in thread
From: Maxim Cournoyer @ 2022-06-15 15:46 UTC (permalink / raw)
  To: Arun Isaac; +Cc: 54950

Hi Arun,

Arun Isaac <arunisaac@systemreboot.net> writes:

> Hi Maxim,
>
>> I suspect this is due to changes in OpenSSH *client* that now refuse
>> older RSA keys for security reasons.
>
> This doesn't seem to be. Here's why: I have another machine that I ssh
> to using an unencrypted RSA key. I am able to connect to the Guix daemon
> on that machine without any trouble. What's more, the machine with an
> encrypted key, whose Guix daemon I'm unable to connect to, uses an ECDSA
> key.
>
>> Could you retry with the following option: 'StrictHostKeyChecking no'
>> applied to the host in your ~/.ssh/config?
>
> Adding 'StrictHostKeyChecking no' makes no difference. The unencrypted
> key still works, and the encrypted doesn't.

Thanks for checking.  Other things to try:

Kill pinentry, which is potentially waiting for the passphrase on the
wrong X11 display or tty, for example if you accessed the machine via
SSH:

killall pinentry

I don't know which ssh agent you use; I use the 'gpg-agent' provided by
GnuPG.  info '(gnupg) Common Problems' has this:

   * SSH hangs while a popping up pinentry was expected

     SSH has no way to tell the gpg-agent what terminal or X display it
     is running on.  So when remotely logging into a box where a
     gpg-agent with SSH support is running, the pinentry will get popped
     up on whatever display the gpg-agent has been started.  To solve
     this problem you may issue the command

          echo UPDATESTARTUPTTY | gpg-connect-agent

     and the next pinentry will pop up on your display or screen.
     However, you need to kill the running pinentry first because only
     one pinentry may be running at once.  If you plan to use ssh on a
     new display you should issue the above command before invoking ssh
     or any other service making use of ssh.

It seems this gotcha would also apply to other SSH agents.  I've had
this problem in the past, when SSH'in to a remote machine that had a
graphical session running, and killing the running pinentry and issuing
the above 'echo UPDATESTARTUPTTY | gpg-connect-agent' command did the
trick.

Let me know if this helps.

Maxim




^ permalink raw reply	[flat|nested] 7+ messages in thread

* bug#54950: Connecting to remote guix daemon with encrypted SSH key fails
  2022-06-15 15:46     ` Maxim Cournoyer
@ 2022-06-16  6:34       ` Arun Isaac
  2022-06-16 14:01         ` Maxim Cournoyer
  0 siblings, 1 reply; 7+ messages in thread
From: Arun Isaac @ 2022-06-16  6:34 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: 54950


Hi Maxim,

I normally use neither OpenSSH's ssh-agent nor gpg-agent's ssh-agent
feature. But, when I do, it works. I didn't run into any pinentry issues
like you described. But, that's only because a passphrase entry is not
required at the time of `guix build'. Passphrase entry is required only
at the time of `ssh-add' when I am adding the key to the ssh-agent. Just
to be clear, here are the exact steps I used to set up gpg-agent.

Enable gpg's ssh-agent feature

$ echo use-agent >> ~/.gnupg/gpg.conf
$ echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf

pkill and restart gpg-agent (command not shown). Then, add the key to
gpg's ssh-agent. A passphrase is prompted at this point.

$ ssh-add ~/.ssh/id_ecdsa

guix build with remote daemon. A passphrase is not prompted at this
point because it was already added into the ssh-agent in the last step.

$ SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
GUIX_DAEMON_SOCKET=ssh://foo guix build -v3 hello

So, with an ssh-agent, guix build on a remote daemon works. But, I'd
like it to work without an ssh-agent. Is that possible?

Regards,
Arun




^ permalink raw reply	[flat|nested] 7+ messages in thread

* bug#54950: Connecting to remote guix daemon with encrypted SSH key fails
  2022-06-16  6:34       ` Arun Isaac
@ 2022-06-16 14:01         ` Maxim Cournoyer
  2022-06-17  6:52           ` Arun Isaac
  0 siblings, 1 reply; 7+ messages in thread
From: Maxim Cournoyer @ 2022-06-16 14:01 UTC (permalink / raw)
  To: Arun Isaac; +Cc: 54950

Hello Arun,

Arun Isaac <arunisaac@systemreboot.net> writes:

> So, with an ssh-agent, guix build on a remote daemon works. But, I'd
> like it to work without an ssh-agent. Is that possible?

I've re-read the original issue and now I have a better understanding of
it; the manual mentions GUIX_DAEMON_SOCKET is handled via the Guile-SSH
library.  I'm curious as to how SSH clients typically trigger 'pinentry'
to prompt; perhaps Guile-SSH is lacking some feature here.

I hope someone in the know can tip in!  In the meantime, you've already
found a workaround (the use of an SSH agent).

Thanks,

Maxim




^ permalink raw reply	[flat|nested] 7+ messages in thread

* bug#54950: Connecting to remote guix daemon with encrypted SSH key fails
  2022-06-16 14:01         ` Maxim Cournoyer
@ 2022-06-17  6:52           ` Arun Isaac
  0 siblings, 0 replies; 7+ messages in thread
From: Arun Isaac @ 2022-06-17  6:52 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: 54950


Hi Maxim,

> I'm curious as to how SSH clients typically trigger 'pinentry' to
> prompt; perhaps Guile-SSH is lacking some feature here.

Exactly my point! :-)

> I hope someone in the know can tip in!  In the meantime, you've already
> found a workaround (the use of an SSH agent).

Yup.

Thanks,
Arun




^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2022-06-17  6:54 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-15 11:09 bug#54950: Connecting to remote guix daemon with encrypted SSH key fails Arun Isaac
2022-06-08 20:30 ` Maxim Cournoyer
2022-06-15  6:30   ` Arun Isaac
2022-06-15 15:46     ` Maxim Cournoyer
2022-06-16  6:34       ` Arun Isaac
2022-06-16 14:01         ` Maxim Cournoyer
2022-06-17  6:52           ` Arun Isaac

Code repositories for project(s) associated with this inbox:

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).