Matt Schepers
2020-Aug-07 17:54 UTC
ssh-agent does not accept all forwarded RSA keys on later versions.
Hello, I've got a problem with newer versions of ssh-agent not accepting all keys being forwarded to them. Example: LOCAL-WORKSTATION ssh-add -l 4096 SHA256:HFSzrozPapudofYJi8QvXQdA1/vNpFc2iPWH8CGVsEg (none) (RSA) 2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U /home/matt/.ssh/id_rsa_embedded (RSA) ssh -V OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017 BROKEN-REMOTE ssh -A brokenHost ssh-add -l 2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U /home/matt/.ssh/id_rsa_embedded (RSA) ssh -V OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 Here only one key gets forwarded when there should be two. That's what the problem is. WORKING-REMOTE ssh -A workingHost ssh-add -l 4096 SHA256:HFSzrozPapudofYJi8QvXQdA1/vNpFc2iPWH8CGVsEg (none) (RSA) 2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U /home/matt/.ssh/id_rsa_embedded (RSA) ssh -V OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017 So the problem appears to be that the newer version is not accepting all of the forwarded keys. I'd like to troubleshoot this and/or file a bug report. Can you guys point me in the right direction? Regards Matt
Damien Miller
2020-Aug-10 03:26 UTC
ssh-agent does not accept all forwarded RSA keys on later versions.
On Fri, 7 Aug 2020, Matt Schepers wrote:> Hello, > > I've got a problem with newer versions of ssh-agent not accepting all keys > being forwarded to them. > > Example: > LOCAL-WORKSTATION > ssh-add -l > 4096 SHA256:HFSzrozPapudofYJi8QvXQdA1/vNpFc2iPWH8CGVsEg (none) (RSA) > 2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U > /home/matt/.ssh/id_rsa_embedded (RSA) > ssh -V > OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017 > > BROKEN-REMOTE > ssh -A brokenHost > ssh-add -l > 2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U > /home/matt/.ssh/id_rsa_embedded (RSA) > ssh -V > OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 > Here only one key gets forwarded when there should be two. That's what the > problem is. > > WORKING-REMOTE > ssh -A workingHost > ssh-add -l > 4096 SHA256:HFSzrozPapudofYJi8QvXQdA1/vNpFc2iPWH8CGVsEg (none) (RSA) > 2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U > /home/matt/.ssh/id_rsa_embedded (RSA) > ssh -V > OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017 > > > So the problem appears to be that the newer version is not accepting all of > the forwarded keys. I'd like to troubleshoot this and/or file a bug report. > Can you guys point me in the right direction?Could you post the entire key that is not being forwarded and not just the fingerprint? -d
Jakub Jelen
2020-Aug-10 06:55 UTC
ssh-agent does not accept all forwarded RSA keys on later versions.
On Fri, 2020-08-07 at 11:54 -0600, Matt Schepers wrote:> Hello, > > I've got a problem with newer versions of ssh-agent not accepting all > keys > being forwarded to them. > > Example: > LOCAL-WORKSTATION > ssh-add -l > 4096 SHA256:HFSzrozPapudofYJi8QvXQdA1/vNpFc2iPWH8CGVsEg (none) (RSA) > 2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U > /home/matt/.ssh/id_rsa_embedded (RSA) > ssh -V > OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017What is the ssh-agent you are running on this machine? Is it stock ssh- agent, gnome-keyring or some other implementation? You should get the idea from the SSH_AUTH_SOCK environment variable. Regards, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc.
Matt Schepers
2020-Aug-10 14:32 UTC
ssh-agent does not accept all forwarded RSA keys on later versions.
I am running gpg-agent locally. Two keys are served from gpg-agent: a gpg created ssh key and a ssh-keygen created key stored in ~/.ssh/id_rsa. The gpg created key is the one that the remote agent wouldn't accept, and my problem is that I wasn't really able to debug it. By pure dumb luck I removed the package libpam-ssh and the problem disappeared. On Mon, Aug 10, 2020 at 12:55 AM Jakub Jelen <jjelen at redhat.com> wrote:> On Fri, 2020-08-07 at 11:54 -0600, Matt Schepers wrote: > > Hello, > > > > I've got a problem with newer versions of ssh-agent not accepting all > > keys > > being forwarded to them. > > > > Example: > > LOCAL-WORKSTATION > > ssh-add -l > > 4096 SHA256:HFSzrozPapudofYJi8QvXQdA1/vNpFc2iPWH8CGVsEg (none) (RSA) > > 2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U > > /home/matt/.ssh/id_rsa_embedded (RSA) > > ssh -V > > OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017 > > What is the ssh-agent you are running on this machine? Is it stock ssh- > agent, gnome-keyring or some other implementation? You should get the > idea from the SSH_AUTH_SOCK environment variable. > > Regards, > -- > Jakub Jelen > Senior Software Engineer > Security Technologies > Red Hat, Inc. > >