Ubuntu
openssh package

ssh-add asks about passphrases for keys already unlocked in the keychain

Bug #1764044 reported by Rolf Leggewie
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Expired
Wishlist
Unassigned

Bug Description

In the below example, on the second invocation of ssh-add I should not be prompted to enter the passphrase again after I successfully entered it on the first instance. This used to work fine in trusty i386 setup.

$ keychain && ssh-add

 * keychain 2.8.2 ~ http://www.funtoo.org
 * Starting ssh-agent...

Enter passphrase for /home/rolf/.ssh/id_rsa:
Identity added: /home/rolf/.ssh/id_rsa (/home/rolf/.ssh/id_rsa)
Enter passphrase for /home/rolf/.ssh/id_dsa:
Identity added: /home/rolf/.ssh/id_dsa (/home/rolf/.ssh/id_dsa)

$ keychain && ssh-add

 * keychain 2.8.2 ~ http://www.funtoo.org
 * Found existing ssh-agent: 25744

Enter passphrase for /home/rolf/.ssh/id_rsa:
Identity added: /home/rolf/.ssh/id_rsa (/home/rolf/.ssh/id_rsa)
Enter passphrase for /home/rolf/.ssh/id_dsa:
Identity added: /home/rolf/.ssh/id_dsa (/home/rolf/.ssh/id_dsa)

gnome-keyring is running:
$ ps -ax|grep key
 2067 ? SLl 0:05 /usr/bin/gnome-keyring-daemon --start --components ssh
 2078 ? Ssl 0:01 /usr/lib/x86_64-linux-gnu/indicator-keyboard/indicator-keyboard-service --use-gtk
 6987 ? S 0:00 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh
17832 pts/2 S+ 0:00 grep --color=auto key

ssh-agent is running:
$ ps aux | grep ssh-agent
leggewie 1928 0.0 0.0 15548 340 ? Ss 02:38 0:00 /usr/bin/ssh-agent /usr/bin/im-launch env LD_PRELOAD=libgtk3-nocsd.so.0 /usr/lib/gnome-session/run-systemd-session unity-session.target
leggewie 6987 0.0 0.0 11304 1484 ? S 02:50 0:00 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh
leggewie 9952 0.0 0.0 11304 320 ? Ss 04:11 0:00 ssh-agent bash
leggewie 17850 0.0 0.0 14492 1160 pts/2 S+ 06:06 0:00 grep --color=auto ssh-agent

$ env|grep SSH
SSH_AUTH_SOCK=/tmp/ssh-W6fuGBztRRds/agent.6992
SSH_AGENT_PID=9952
SSH_AGENT_LAUNCHER=gnome-keyring

See original description
Tags: bionic
Rolf Leggewie (r0lf)
description: updated
description: updated
description: updated
summary: - ssh-add asks about passphrases for key already unlocked in the keychain
+ ssh-add asks about passphrases for keys already unlocked in the keychain
description: updated
Rolf Leggewie (r0lf)
description: updated
Revision history for this message
Rolf Leggewie (r0lf) wrote :

I finally was able to solve this. It turns out, my key was too old and thus kind of disabled as a security measure, I suppose. After creating a new key based off ED25519 and adding the corresponding public key to ~/.ssh/authorized_keys on the server, things are now working again.

Can we please do better and inform the user what's wrong instead of silently pretending to be working but dropping the unlocked key? FWIW, even now with the process working again "keychain -l" still lists nothing. I'm not 100% sure but that looks like a bug of its own.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

Rolf,

Thank you for taking the time to file a bug report.

I have just used the following in my .bashrc (like keychain man page says so):

"""
keychain id_rsa id_dsa id_ecdsa

[ -z "$HOSTNAME" ] && HOSTNAME=`uname -n`
[ -f $HOME/.keychain/$HOSTNAME-sh ] && . $HOME/.keychain/$HOSTNAME-sh
[ -f $HOME/.keychain/$HOSTNAME-sh-gpg ] && . $HOME/.keychain/$HOSTNAME-sh-gpg
"""

and I have all my keys already set:

"""
 * keychain 2.8.5 ~ http://www.funtoo.org
 * Found existing ssh-agent: 3684816
 * Known ssh key: /home/rafaeldtinoco/.ssh/id_rsa
 * Known ssh key: /home/rafaeldtinoco/.ssh/id_dsa
 * Known ssh key: /home/rafaeldtinoco/.ssh/id_ecdsa

rafaeldtinoco@workstation:~$
"""

for every new shell. Just needed to put my password once.

Since it seems likely to me that this is a local configuration problem,
rather than a bug in Ubuntu, I am marking this bug as 'Incomplete'.

However, if you believe that this is really a bug in Ubuntu, then we would
be grateful if you would provide a more complete description of the problem
with steps to reproduce, explain why you believe this is a bug in Ubuntu
rather than a problem specific to your system, and then change the bug
status back to "New".

For local configuration issues, you can find assistance here:
http://www.ubuntu.com/support/community

Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
Rolf Leggewie (r0lf) wrote :

while you can certainly argue that the obsolete key was a configuration issue, I'd find it surprising to see the missing warning about this while silently pretending to be working just fine not to be considered a bug.

Changed in openssh (Ubuntu):
status: Incomplete → New
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thank you for following up with this.

It seems like an interesting bug to consider, but it appears to be low priority, so I am marking it as such.

On a side note, I would like to point out that these kind of bugs are usually better dealt with by upstream, so I would recommend you to file a report against them. If you do so, please let us know the link to the bug so that we can keep track of the progress.

Thank you!

Changed in openssh (Ubuntu):
importance: Undecided → Low
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

A bit more info because this bug came up again for me.

It was mentioned that this was working OK in Trusty, so I assume that openssh 6.6 was being used there, and that when the upgrade to openssh 7.x happened this issue started happening. I agree that the tool itself could be more helpful in its output, but this deprecation has been documented in the release notes:

https://wiki.ubuntu.com/XenialXerus/ReleaseNotes/#OpenSSH_7.2p2

I looked at upstream's bugzilla and could not find any bugs requesting a more verbose output from the tool. I still believe this bug should be dealt with by upstream, and we can follow their lead. Keeping as Low priority (and I consider that the priority will only get lower, given that people will forcefully start migrating away from DSA).

BTW, I confirmed that this issue still applies to Jammy.

Changed in openssh (Ubuntu):
status: New → Triaged
importance: Low → Wishlist
Revision history for this message
Paride Legovini (paride) wrote :

I am a bit confused by the bug report.

I think ssh-add is correctly adding the DSA key to the agent, and the fact that running ssh-add again requests the password again is normal and expected. Looks Trusty behaves the same:

ubuntu@paride-t:~$ eval $(ssh-agent -s)
Agent pid 2406
ubuntu@paride-t:~$ ssh-add
Enter passphrase for /home/ubuntu/.ssh/id_rsa:
Identity added: /home/ubuntu/.ssh/id_rsa (/home/ubuntu/.ssh/id_rsa)
ubuntu@paride-t:~$ ssh-add
Enter passphrase for /home/ubuntu/.ssh/id_rsa:
Identity added: /home/ubuntu/.ssh/id_rsa (/home/ubuntu/.ssh/id_rsa)

So in my view this part of the bug is Invalid. @Rolf maybe you didn't realize as normally when ssh pubkey authentication just works there's no point in re-running ssh-agent?

I don't think keychain comes into play in this, as it is just a handy tool to manage the environment variables pointing to the ssh-agent socket. The password prompts are from ssh-add.

Then there is the fact that DSA keys have been deprecated from authentication, which is the root of the issue in my opinion. This is in my opinion a Wontfix, as heightening the security baseline requires deprecating older standards.

I'm moving this back to Incomplete.

Changed in openssh (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openssh (Ubuntu) because there has been no activity for 60 days.]

Changed in openssh (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.