gnome-keyring does not support "ssh-add -c"

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Are you sure that you're connected to ssh-agent and not to some other agent like gnome-keyring-daemon? Please can you run:

eval `ssh-agent`

and then try again with "ssh-add -c" in the same shell to verify?

It then gives the error "Agent admitted failure to sign using the key."

$ eval `ssh-agent`
Agent pid 9903

$ ssh-add -c /home/user/.ssh/key_rsa
Enter passphrase for /home/user/.ssh/key_5501_rsa:
Identity added: /home/user/.ssh/key_rsa (/home/user/.ssh/key_rsa)
The user must confirm each use of the key

$ ssh -i /home/lars/.ssh/key_rsa -l user XX.YY.ZZ.AA
Agent admitted failure to sign using the key.
Enter passphrase for key '/home/user/.ssh/key_rsa':

You also need to set SSH_ASKPASS and DISPLAY appropriately. Please see the ssh-add and ssh-agent manpages.

I've just checked behaviour on Quantal and as far as I can see, everything is working as expected, so I believe this to be a local configuration issue and not a bug. So I'm marking this bug as Invalid. If you need help with configuring this feature, there are pointers on how to get community assistance here: http://www.ubuntu.com/support/community

If you find that this really is a bug, please explain and set the bug status back to New.

An afterthought: I think I've been thinking of this too much from the perspective of openssh. I suppose it would be a valid wishlist bug that gnome-keyring doesn't support the confirmation mechanism by default. But that would be a bug in gnome-keyring rather than in openssh. But please go ahead and add that if you wish.

This is with a plain vanilla Quantal (Lubuntu) installation installed just today and have not changed the configurations on. So the settings used are default. SSH_ASKPASS is not getting set:

$ echo $SSH_ASKPASS

$ echo $DISPLAY
:0

Status changed to 'Confirmed' because the bug affects multiple users.

Looks like a duplicate of 209447.

That's bug 209447.

*glares at Launchpad*

*grumbles about lack of a Preview button*

The same symptoms seem to still be present in 14.04.1 LTS at least for ed25519 keys. RSA keys seem to work ok.

$ lsb_release -rd
Description: Ubuntu 14.04.1 LTS
Release: 14.04

$ apt-cache policy gnome-keyring
gnome-keyring:
  Installed: 3.10.1-1ubuntu4.1
  Candidate: 3.10.1-1ubuntu4.1
  Version table:
 *** 3.10.1-1ubuntu4.1 0

This is a security bug as it is now, as if one uses agent forwarding, it is impossible to confirm the use of a certain key on a (possible compromized) machine. Still present in 15.04 :(

Also, the linked debian bug is incorrect, as it is about using different key format; and this bug is about having the keyring interactively confirm each key signing request over the agent.

In 14.04.3 LTS it seems to be fixed so it is possible to load a key into the agent using 'ssh-add -c' but then the confirmation dialog pops up and does not accept the key's passphrase. Resulting in :

Agent admitted failure to sign using the key.
Permission denied (publickey,keyboard-interactive).

However, just pressing 'OK' on the gnome-ssh-askpass dialog goes ahead with the login. So the input field should be removed from gnome-ssh-askpass or else a different tool used, since entering anything in it causes the login to fail.

The gnome-bugs link is broken. Working links:

- https://bugzilla.gnome.org/show_bug.cgi?id=525574 (old bugzilla)
- https://gitlab.gnome.org/GNOME/gnome-keyring/issues/5 (new gitlab)