rsa ssh login fails with "sign_and_send_pubkey: signing failed: agent refused operation" error

Bug #1569019 reported by Recon69
60
This bug affects 14 people
Affects Status Importance Assigned to Milestone
Ubuntu Server Guide
Undecided
Unassigned
gnupg2 (Ubuntu)
Undecided
Unassigned

Bug Description

if you follow the guild

https://help.ubuntu.com/14.04/serverguide/openssh-server.html

logins will fail with the error

sign_and_send_pubkey: signing failed: agent refused operation

until the command

ssh-add

is executed on the client machine.

Revision history for this message
Peter Matulis (petermatulis) wrote :

Wow. That section is truly poor. There should be no obsession with using SSH without a blank password. It's all correct as is but it should be re-written to not do that. Thanks for bringing this to our attention.

Revision history for this message
Peter Matulis (petermatulis) wrote :

I meant:

The guide should not be advocating the use of unencrypted private SSH keys, which is what you get with a blank password.

As the OP sort of alluded to, the use of ssh-agent should be used as a compromise.

Revision history for this message
Recon69 (m-carpenter) wrote : Re: [Bug 1569019] Re: rsa ssh login fails with "sign_and_send_pubkey: signing failed: agent refused operation" error

What I was reporting is that the guide as is, fails to instruct someone
how to setup ssh RSA key logins successfully. if you follow this guide a
ssh login will fail with the error message I reported and ask for the
users password.
I feel that the "ssh-add" step needs to be added to this guide, if that
is suitable for setting up remote logins.

On 12/04/16 20:08, Peter Matulis wrote:
> I meant:
>
> The guide should not be advocating the use of unencrypted private SSH
> keys, which is what you get with a blank password.
>
> As the OP sort of alluded to, the use of ssh-agent should be used as a
> compromise.
>

Revision history for this message
Peter Matulis (petermatulis) wrote :

This is misleading and dangerous:

"SSH keys allow authentication between two hosts without the need of a password."

and should not be the first thing to show readers for how to use SSH.

"During the process you will be prompted for a password. Simply hit Enter when prompted to create the key."

I read that incorrectly. I read it like "Simply hit Enter when prompted to create the password." Probably because there is no single Enter to use when creating an SSH key and because of the earlier sentence. That should be changed to explain the actual dialog that occurs.

So I recommend the following change:

1. "You should now be able to SSH to the host. Enter the password you used during the key creation process."

Extend it to include ssh-agent:

2. "If you do not want to enter your password for every connection consider using ssh-agent." And then go on to explain how that works and how to implement it.

Basically this entire section should be reviewed.

Revision history for this message
Theodotos Andreou (theodotos) wrote :

I had this after upgrading to Xenial. `ssh-add` solved the problem.

Revision history for this message
segler (segler-alex) wrote :

I have the same problem,

sign_and_send_pubkey: signing failed: agent refused operation

is displayed if i do a ssh connection to a host,
but i am using a yubikey (a gpg enabled hardware key) that delivers the key. and therefore i cannot do ssh-add
i have a running gpg-agent with
echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
"set | grep SSH " is correct
SSH_AUTH_SOCK=/home/user/.gnupg/S.gpg-agent.ssh

the key with ssh worked in all previous versions of ubuntu

Chad Miller (cmiller)
Changed in openssh (Ubuntu):
status: New → Confirmed
affects: openssh (Ubuntu) → gnupg2 (Ubuntu)
Revision history for this message
Pavak Paul (pavakatubuntu) wrote :

I have the same problem, fixed by doing
$ssh-add
Resource: http://askubuntu.com/a/762558/157406

Revision history for this message
mahmoh (mahmoh) wrote :

Installed Xenial 16.04 via debootstrap so I couldhave a zfs root/boot and somehow hit this problem and couldn't figure it out right away. The ssh error message should have a clearer way of deciphering the problem but ssh-add did fix it. Shouldn't this problem be avoided in the ssh-keygen utility or does this user creation case actually make sense somewhere? Thank you.

Revision history for this message
kkubkowski (kkubkowski) wrote :

Found out, that ssh will relay that error if identity that shall be used is a link to actual file.
I have generated RSA keys using OpenSSL and stored them into ~/.ssh/id_rsa.pub.pem and ~/.ssh/id_rsa.key.pem
Then I converted ~/.ssh/id_rsa.pub.pem into OpenSSH format using ssh-keygen
Then I created a link: ln ~/.ssh/id_rsa.key.pem ~/.ssh/id_rsa
Then I edited /etc/ssh/ssh_config such that there was only one line IdentityFile ~/.ssh/id_rsa
Then I tried to log into remote machine - the result was: sign_and_send_pubkey: signing failed: agent refused operation

Maybe I am missing something and there is a configuration option that follows links?

Revision history for this message
Rohit Khatkar (mldy) wrote :

I solved this issue using help from:
https://help.ubuntu.com/community/SSH/OpenSSH/Keys

Encrypted Home Directory was my issue. and it was file permission issue.

Also I needed to run "gpg-agent --daemon --enable-ssh-support" explicitly. Though it was part of yubikey Ubuntu script from here https://developers.yubico.com/PGP/SSH_authentication/

I just ran script again and again and fixed file permissions. Somehow it started working and allowed me to login.

Using Ubuntu 16.04.02.
Yubikey 4 nano

Revision history for this message
Rohit Khatkar (mldy) wrote :

I executed the Ubuntu script at https://developers.yubico.com/PGP/SSH_authentication/ for yubikey 4

I got this message:
gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'

When the PGP agent is running run the following command:

ssh-add

It solved this issue for me.

Revision history for this message
Piotr Maruszczak (pieras) wrote :

ssh-add did the thing.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers