Ubuntu
openssh package

ssh-add does not always unlock ssh keys

Bug #841672 reported by Claudio Moretti
138
This bug affects 28 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

When I execute ssh-add it asks for my keys passwords and confirms that they were unlocked, but when I try to ssh into a server I am asked for my password again via the ssh-askpass-gnome prompt.

Here's an (edited and cut) version of my .ssh/config file:

=====================================================
VisualHostKey yes
Host myhost1
 Hostname myhost1.url
 User user
 PreferredAuthentications publickey
 IdentityFile ~/.ssh/id_dsa
 Compression yes
 Compressionlevel 6

Host myhost2
 Hostname myhost2.url
 User user
 PreferredAuthentications publickey
 Compression no

Host myhost3 myhost4 myhost5
 Hostname myhost3.url
 User user
 PreferredAuthentications publickey
 Compression yes
 Compressionlevel 6

[...]

=====================================================

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: ssh-askpass (not installed)
ProcVersionSignature: Ubuntu 3.0.0-10.16-generic 3.0.4
Uname: Linux 3.0.0-10-generic x86_64
Architecture: amd64
Date: Mon Sep 5 11:29:43 2011
ProcEnviron:
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: ssh-askpass
UpgradeStatus: Upgraded to oneiric on 2011-06-29 (68 days ago)

Revision history for this message
Soren Hansen (soren) wrote :

Is your ssh agent running? What does "echo $SSH_AUTH_SOCK" say?

Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
Claudio Moretti (flyingstar16) wrote :

Here's the output:

claudio@Chuck:~$ echo $SSH_AUTH_SOCK
/tmp/keyring-TjsKLR/ssh

Changed in openssh (Ubuntu):
status: Incomplete → New
Robie Basak (racb)
Changed in openssh (Ubuntu):
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssh (Ubuntu):
status: New → Confirmed
Revision history for this message
Dominik Brodowski (brodowski) wrote :

Please reconsider the importance - it is a quite annoying bug (at least to me).

Revision history for this message
Felix Müller (felix-mueller-w) wrote :

> Please reconsider the importance - it is a quite annoying bug (at least to me).

Same here. We have rather complex tunneling mechanisms where we hop over 5+ systems to get to the target hosts. With a strong (and long) passphrase and some dozen connections a day (remote support) over here this results in a major degradation of productivity.

Revision history for this message
Chris Snyder (csnyder) wrote :

> Please reconsider the importance - it is a quite annoying bug (at least to me).

+1
This bug is very annoying and a drain on productivity.

Revision history for this message
C de-Avillez (hggdh2) wrote :

I just tested it here -- Oneiric, two terminal windows, one running RoxTerm, one under byobu.

On the byobu window:

ssh-add -l
(my key was shown)
ssh-add -D
ssh-add -l
(no keys shown)
ssh test.machine.info
(pop up asking for SSH passphrase; entered it, got in session; ended the session)
ssh test.machine.info
(session opened with no pop-ups; ended the session)
ssh-add -D
ssh-add -l
(no keys shown)
ssh-add
ssh-add -l
(my key was shown)
ssh test.machine.info
(session opened with no pop-ups; ended the the session)

Moved over to the stand-alone RoxTerm; then repeated the tests. To my surprise even *after* adding my SSH key in, when I tried to open the SSH session to the test machine I was still presented with a pop-up asking for the passphrase on *first* SSH. Second SSH session, *without* running 'ssh-add -D', opened the session without a pop-up for passphrase.

Another interesting bit: on the RoxTerm stand-alone, 'ssh-add -D' did *not* clean up the keys in the agent.

Additional findings: SSH-AUTH_SOCK differs on the terminal windows (byobu and RoxTerm):

* Under RoxTerm:

[cerdea-aws]cerdea@xango3:~$ set | grep SSH
SSH_AGENT_PID=2857
SSH_AUTH_SOCK=/tmp/keyring-6fXAtd/ssh
[cerdea-aws]cerdea@xango3:~$

* under byobu:

[cerdea-aws]cerdea@xango3:/build/buildd/ubuntu-qa-tools/vm-tools$ set | grep SSH
SSH_AGENT_PID=2857
SSH_AUTH_SOCK=/home/cerdea/.byobu/.ssh-agent
[cerdea-aws]cerdea@xango3:/build/buildd/ubuntu-qa-tools/vm-tools$

Note that the SSH_AGENT_PID is the same.

Also, I dimly remember something about gnome-keyring and ssh-add. Will try to find out the references.

Setting importance to Medium.

Changed in openssh (Ubuntu):
importance: Low → Medium
summary: - ssh-add does not unlock ssh keys
+ ssh-add does not always unlock ssh keys
Revision history for this message
C de-Avillez (hggdh2) wrote :

http://live.gnome.org/GnomeKeyring/Ssh has some bits on this.

Revision history for this message
Danny Howard (dannyman) wrote :

This bug is rather obnoxious.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Very annoying, I run ssh-add and am still prompted for the passphrase by some GUI tool.

Revision history for this message
Holger Krekel (hpk) wrote :

The bug still seems to be present in March 2012 - and is annoying indeed.

Revision history for this message
Hamish Downer (mishd) wrote :

My use case is that I have a script (using tmuxinator) that opens several shells inside tmux and executes ssh in them, all at once. I run ssh-add before starting the script, so that I only have to enter the passphrase once. However with this behaviour I have to enter the passphrase into the gui dialog box multiple times.

After that ssh and the agent work as expected. But I can't seem to unlock the ssh key properly before starting an actual ssh session.

Revision history for this message
Hamish Downer (mishd) wrote :

I found a way to trigger the gnome dialog box directly, so I only have to enter the ssh password once.

I created ~/bin/gssh-add and put the following in it:

SSH_ASK_PASS=/usr/bin/ssh-askpass ssh-add

I then make it executable:

chmod +x ~/bin/gssh-add

And then I launch it using Alt+F2. That triggers the gnome dialog box.

Note that if you run gssh-add from the terminal it will not trigger the gnome dialog box. See the ENVIRONMENT section of the ssh-add man page for details as to why.

Revision history for this message
Paul Willoughby (paul-natyyjkkrqk00) wrote :

Very annoying bug. One way round it is from your terminal prompt do:

$ exec ssh-agent bash

Then `ssh-add` will work as expected.

Revision history for this message
Hamish Downer (mishd) wrote :

Scratch my last workaround (#13). It didn't work. This one does though

Stop gnome-keyring ssh-agent from starting. Then ssh-agent and ssh works as expected.

To stop gnome-keyring ssh-agent from starting do:

    sudo mv /etc/xdg/autostart/gnome-keyring-ssh /etc/xdg/autostart/gnome-keyring-ssh.desktop.disabled

I first posted this, plus a load of stuff about trying to work through the problem at http://askubuntu.com/questions/122824/how-to-manually-trigger-ssh-add-dialog-box/

Revision history for this message
Steve Chadsey (schadsey) wrote :

This bug is present in Ubuntu 13.04.

Revision history for this message
amk (9-launchpad-mikus-sk) wrote :

Ubuntu 16.04 also impacted

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.