On Fri, Oct 18, 2024 at 11:38:37AM +0100, Chris Green wrote:> I'm confused by the following:- > > rcfg at q957$ ssh-add -l > 256 SHA256:gl9l9m/xnYpL9P7WkL60L+FcJ0+r2c5Ci770p9VEC08 chris at q957 (ED25519) > 256 SHA256:4XDYbepg8zK43pofpQ8IGxMAXkej298a0XZHWjJTIQQ chris at q957 (ED25519) > 3072 SHA256:yeQw8xe9rrxHKLqICoXNwReZKKV9HI1UeTCf95QywXM chris at t470 (RSA) > 256 SHA256:dluRgJeTqJ32jKxRrSdjr/cibbIOZQeq8Inlna3+Sdw chris at q957 (ED25519) > 3072 SHA256:dJws+ny7+uWMo2hwFl6yNGE5vFsW1ZKiO0EXwTIfNPc chris at t470 (RSA) > 256 SHA256:BxqEiksrCXPxKvQyBXqOqw1WKda110lYiC00Z+fKP4A chris at q957 (ED25519) > rcfg at q957$ ssh-add -D > All identities removed. > rcfg at q957$ ssh-add -l > 256 SHA256:4XDYbepg8zK43pofpQ8IGxMAXkej298a0XZHWjJTIQQ chris at q957 (ED25519) > 3072 SHA256:yeQw8xe9rrxHKLqICoXNwReZKKV9HI1UeTCf95QywXM chris at t470 (RSA) > 256 SHA256:dluRgJeTqJ32jKxRrSdjr/cibbIOZQeq8Inlna3+Sdw chris at q957 (ED25519) > 256 SHA256:gl9l9m/xnYpL9P7WkL60L+FcJ0+r2c5Ci770p9VEC08 chris at q957 (ED25519) > 3072 SHA256:dJws+ny7+uWMo2hwFl6yNGE5vFsW1ZKiO0EXwTIfNPc chris at t470 (RSA) > 256 SHA256:BxqEiksrCXPxKvQyBXqOqw1WKda110lYiC00Z+fKP4A chris at q957 (ED25519) > rcfg at q957$ > > What's going on here? I was expecting all the entries to disappear, > but they don't. > > I checked when reverting to my default 'chris' login with > $HOME=/home/chris but it's exactly the same:- > > chris$ ssh-add -l > 256 SHA256:4XDYbepg8zK43pofpQ8IGxMAXkej298a0XZHWjJTIQQ chris at q957 (ED25519) > 3072 SHA256:yeQw8xe9rrxHKLqICoXNwReZKKV9HI1UeTCf95QywXM chris at t470 (RSA) > 256 SHA256:dluRgJeTqJ32jKxRrSdjr/cibbIOZQeq8Inlna3+Sdw chris at q957 (ED25519) > 256 SHA256:gl9l9m/xnYpL9P7WkL60L+FcJ0+r2c5Ci770p9VEC08 chris at q957 (ED25519) > 3072 SHA256:dJws+ny7+uWMo2hwFl6yNGE5vFsW1ZKiO0EXwTIfNPc chris at t470 (RSA) > 256 SHA256:BxqEiksrCXPxKvQyBXqOqw1WKda110lYiC00Z+fKP4A chris at q957 (ED25519) > chris$ ssh-add -D > All identities removed. > chris$ ssh-add -l > 256 SHA256:4XDYbepg8zK43pofpQ8IGxMAXkej298a0XZHWjJTIQQ chris at q957 (ED25519) > 3072 SHA256:yeQw8xe9rrxHKLqICoXNwReZKKV9HI1UeTCf95QywXM chris at t470 (RSA) > 256 SHA256:dluRgJeTqJ32jKxRrSdjr/cibbIOZQeq8Inlna3+Sdw chris at q957 (ED25519) > 256 SHA256:gl9l9m/xnYpL9P7WkL60L+FcJ0+r2c5Ci770p9VEC08 chris at q957 (ED25519) > 3072 SHA256:dJws+ny7+uWMo2hwFl6yNGE5vFsW1ZKiO0EXwTIfNPc chris at t470 (RSA) > 256 SHA256:BxqEiksrCXPxKvQyBXqOqw1WKda110lYiC00Z+fKP4A chris at q957 (ED25519) > chris$ > > I guess I'm misunderstanding something but I don't see what at the moment. > >Probably related to the same problem:- chris$ ssh-add /home/chris/.share/rcfg/.ssh/rcfgKey Enter passphrase for /home/chris/.share/rcfg/.ssh/rcfgKey: Identity added: /home/chris/.share/rcfg/.ssh/rcfgKey (root at q957) chris$ ssh -i /home/chris/.share/rcfg/.ssh/rcfgKey root at backup Enter passphrase for key '/home/chris/.share/rcfg/.ssh/rcfgKey': root at backup:~# Hmm, I think there's something funny going on with the ssh-agent socket:- chris$ ps -fe | grep ssh-agent chris 2463 1530 0 12:33 ? 00:00:00 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh but:- chris$ env | grep SSH SSH_AUTH_SOCK=/run/user/1000/keyring/ssh So SSH_AUTH_SOCK doesn't appear to be the socket that ssh-agent thinks it should be. This is on a fairly standard/default xubuntu 24.04 installation, I've not played about with the agent stuff (or at least I don't think I have). Both the sockets exist:- chris$ ls -al /run/user/1000/keyring/ total 0 drwx------ 2 chris chris 120 Oct 18 12:33 . drwx------ 13 chris chris 420 Oct 18 12:32 .. srw------- 1 chris chris 0 Oct 18 12:33 .ssh srw-rw-rw- 1 chris chris 0 Oct 18 12:32 control srwxrwxr-x 1 chris chris 0 Oct 18 12:32 pkcs11 srwxrwxr-x 1 chris chris 0 Oct 18 12:32 ssh Can anyone suggest what might be awry? -- Chris Green
Hi, On 18.10.24 13:50, Chris Green wrote:> chris$ ps -fe | grep ssh-agent > chris 2463 1530 0 12:33 ? 00:00:00 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh > > but:- > > chris$ env | grep SSH > SSH_AUTH_SOCK=/run/user/1000/keyring/ssh > > So SSH_AUTH_SOCK doesn't appear to be the socket that ssh-agent thinks > it should be. > > This is on a fairly standard/default xubuntu 24.04 installation, I've > not played about with the agent stuff (or at least I don't think I > have). > Can anyone suggest what might be awry?You are probably running gnome-keyring which acts as a replacement ssh agent and has slightly different behaviour: It will still list your keys after -D, but you need to unlock each them to actually use th -- Dipl. Math Nils Rennebarth Senior Berater Entwicklung Division Network & Client security secunet Security Networks AG Tel.: +49 201 5454-3976 Fax: +49 711 900300-90 Mobil: +49 174 9750449 E-Mail: nils.rennebarth at secunet.com Neue Br?cke 3 70173 Stuttgart www.secunet.com ______________________________________________________________________ Sitz: Kurf?rstenstra?e 58, 45138 Essen, Deutschland Amtsgericht Essen HRB 13615 Vorstand: Axel Deininger (Vors.), Torsten Henn, Dr. Kai Martius, Jessica Nospers Aufsichtsratsvorsitzender: Ralf Wintergerst ______________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20241018/9580aaa3/attachment-0001.asc>
On 18/10/2024 12:50, Chris Green wrote:> Both the sockets exist:- > > chris$ ls -al/run/user/1000/keyring/ > total 0 > drwx------ 2 chris chris 120 Oct 18 12:33 . > drwx------ 13 chris chris 420 Oct 18 12:32 .. > srw------- 1 chris chris 0 Oct 18 12:33 .ssh > srw-rw-rw- 1 chris chris 0 Oct 18 12:32 control > srwxrwxr-x 1 chris chris 0 Oct 18 12:32 pkcs11 > srwxrwxr-x 1 chris chris 0 Oct 18 12:32 ssh"lsof" to see which process is listening on the /run/user/1000/keyring/ssh socket? If you logout from your desktop, then click your username to log back in again, you may see a sprocket in the bottom-right corner that lets you select your desktop environment (e.g. xfce, gnome). If so, you could try different ones. If you find a broken one, you can report the problem upstream. I think it's pretty clear at this stage that the problem is with your distro, not with openssh.
Hi, On 18.10.24 13:50, Chris Green wrote:> chris$ ps -fe | grep ssh-agent > chris 2463 1530 0 12:33 ? 00:00:00 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh > > but:- > > chris$ env | grep SSH > SSH_AUTH_SOCK=/run/user/1000/keyring/ssh > > So SSH_AUTH_SOCK doesn't appear to be the socket that ssh-agent thinks > it should be. > > This is on a fairly standard/default xubuntu 24.04 installation, I've > not played about with the agent stuff (or at least I don't think I > have). > Can anyone suggest what might be awry?You are probably running gnome-keyring which acts as a replacement ssh agent and has slightly different behaviour: It will still list your keys after -D, but you need to unlock each them to actually use them. Standard xubuntu iirc adds pam_gnome_keyring.so to auth and session. Best regards, Nils -- Dipl. Math Nils Rennebarth Senior Berater Entwicklung Division Network & Client security secunet Security Networks AG Tel.: +49 201 5454-3976 Fax: +49 711 900300-90 Mobil: +49 174 9750449 E-Mail: nils.rennebarth at secunet.com Neue Br?cke 3 70173 Stuttgart www.secunet.com ______________________________________________________________________ Sitz: Kurf?rstenstra?e 58, 45138 Essen, Deutschland Amtsgericht Essen HRB 13615 Vorstand: Axel Deininger (Vors.), Torsten Henn, Dr. Kai Martius, Jessica Nospers Aufsichtsratsvorsitzender: Ralf Wintergerst ______________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20241018/02bdb0e5/attachment-0001.asc>