On 03/11/14 20:14, Johannes Kastl wrote:
Good evening,
sorry if this is the wrong list, I found none that seemed to fit better.
It's the right list.
I am trying to get ssh-add with the -c option to work. But I always
get this error:
Agent admitted failure to sign using the key.
But to start from the beginning.
#################################
On my linux machines (e.g. laptops, ...) I can login without an X
session started/used. (...)
(and instead of asking for confirmation, agent requests fail)
So, I'm puzzled. And I do not know how to debug this. Or where to
start. Or if I understood something completely wrong about the -c option.
Any hints, tipps, tricks are highly appreciated. If you need more
information, please dont hesitate to ask.
Thanks in advance.
The reason is hidden inside ssh-add(1):
-c Indicates that added identities should be subject to confirmation
before being used for authentication. Confirmation is performed by the
SSH_ASKPASS program
mentioned below. Successful confirmation is signaled by a zero exit
status from the SSH_ASKPASS program, rather than text entered into the
requester.
DISPLAY and SSH_ASKPASS
If ssh-add needs a passphrase, it will read the passphrase from the
current terminal if it was run from a terminal. If ssh-add does not
have a terminal associated with it but DISPLAY and SSH_ASKPASS are
set, it will execute the program specified by SSH_ASKPASS and open an
X11 window to read the passphrase. This is particularly useful when
calling ssh-add from a .xsession or related script. (Note that on some
machines it may be necessary to redirect the input from /dev/null to
make this work.)
the man page mixes the request for the key password and the confirmation
prompt, and it can be hard to notice, but ssh-agent is calling the X
program defined by SSH_ASKPASS variable (defaulting to ssh-askpass). As
you are using a virtual terminal, you don't have a X11 connection where
you could be prompt, and thus the agent automatically rejects the signing.
(confirm_key → ask_permission → read_passphrase(, RP_USE_ASKPASS)
[ssh-agent.c:202, readpass.c:180,144])
What you can do is to set SSH_ASKPASS to a cli program that requests the
confirmation, also you will need to set DISPLAY to some dummy value,
since $SSH_ASKPASS won't even be called if the DISPLAY variable is not set.
Another solution would be to change openssh to fall back to getpass(1)
for ask_permission requests if $DISPLAY is not available, but given that
the code explicitly checks that, the developers may have reasons for not
doing that (the prompts would on the screen where the agent was
originally launched, which -depending on what is running there now- can
get messy, but that seems better than not allowing ssh-add -c at all).
Best regards
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev