Bug#738660: openssh-client: SSH_AGENT_FAILURE on ssh-add'ing an ed25519 key

Axel Beckert abe at debian.org
Wed Feb 26 14:43:31 UTC 2014 

Hi Colin,

sorry for the late reply. I seem to have forgotten to reply while
being sick, because I can remember that I tested it after your reply
and now wondered why that isn't in the bug-report yet.

Colin Watson wrote:
> On Tue, Feb 11, 2014 at 05:39:26PM +0100, Axel Beckert wrote:
> > ~ # ssh-add 
> > Enter passphrase for /home/abe/.ssh/id_rsa: 
> > Identity added: /home/abe/.ssh/id_rsa (/home/abe/.ssh/id_rsa)
> > Enter passphrase for /home/abe/.ssh/id_dsa: 
> > Identity added: /home/abe/.ssh/id_dsa (/home/abe/.ssh/id_dsa)
> > Enter passphrase for /home/abe/.ssh/id_ed25519: 
> > SSH_AGENT_FAILURE
> > Could not add identity: /home/abe/.ssh/id_ed25519
> 
> It's possible you're using gnome-keyring or similar as your ssh-agent,
> and gnome-keyring doesn't seem to support ED25519 yet.  Is
> $SSH_AUTH_SOCK something like /run/user/1000/keyring-BV4Hlb/ssh rather
> than something like /tmp/ssh-6Vn2sejbdt1z/agent.18548?

I'm sorry to say, but this looks _not_ like gnome-keyring to me:

→ ssh-add
Enter passphrase for /home/abe/.ssh/id_rsa: 
Identity added: /home/abe/.ssh/id_rsa (/home/abe/.ssh/id_rsa)
Identity added: /home/abe/.ssh/id_dsa (/home/abe/.ssh/id_dsa)
Enter passphrase for /home/abe/.ssh/id_ed25519: 
SSH_AGENT_FAILURE
Could not add identity: /home/abe/.ssh/id_ed25519
→ echo $SSH_AUTH_SOCK
/tmp/ssh-Fqfbsi6Nh3HC/agent.3498
→     

Both, gnome-keyring-daemon and ssh-agent are running:

abe       3700  0.0  0.0  51804  1736 ?        Sl   Feb08   0:00 gnome-keyring-daemon -s -c pkcs11,secrets
abe       3662  0.0  0.0   4076   664 ?        Ss   Feb08   0:18 /usr/bin/ssh-agent /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/abe/.gnupg/gpg-agent-info-nemo2 /usr/bin/dbus-launch --exit-with-session /usr/bin/monkeysphere-validation-agent /home/abe/.xsession

I've checked with lsof and the only process which opened the file
referred to in $SSH_AUTH_SOCK is ssh-agent:

→ lsof /tmp/ssh-Fqfbsi6Nh3HC/agent.3498
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
      Output information may be incomplete.
COMMAND    PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
ssh-agent 3662  abe    3u  unix 0xf308ca80      0t0 9790 /tmp/ssh-Fqfbsi6Nh3HC/agent.3498
→ 

> I confirmed that, for me, ssh-agent proper supports ED25519 while
> gnome-keyring doesn't.

Is it possible that gnome-keyring uses socket paths equivalent to
ssh-agent ones or ssh-agent relays stuff to a possibly earlier started
gnome-keyring in some cases? (But from the process IDs, I'd say
ssh-agent was started before gnome-keyring-daemon.)

I remember that gpg-agent can be used to replace ssh-agent, too, but
it needs to be enabled with --enable-ssh-support which isn't the case
above (and also not in my gpg.conf).

So I'm not sure what actually makes ssh-agent fail with ed25519 keys
in my setup while it seems to work on your setup. (Shall we clone
this bug-report so there's one against gnome-keyring and one against
openssh-client?)

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

More information about the pkg-gnome-maintainers mailing list