rsa ssh login fails with "sign_and_send_pubkey: signing failed: agent refused operation" error

Wow. That section is truly poor. There should be no obsession with using SSH without a blank password. It's all correct as is but it should be re-written to not do that. Thanks for bringing this to our attention.

I meant:

The guide should not be advocating the use of unencrypted private SSH keys, which is what you get with a blank password.

As the OP sort of alluded to, the use of ssh-agent should be used as a compromise.

What I was reporting is that the guide as is, fails to instruct someone
how to setup ssh RSA key logins successfully. if you follow this guide a
ssh login will fail with the error message I reported and ask for the
users password.
I feel that the "ssh-add" step needs to be added to this guide, if that
is suitable for setting up remote logins.

On 12/04/16 20:08, Peter Matulis wrote:
> I meant:
>
> The guide should not be advocating the use of unencrypted private SSH
> keys, which is what you get with a blank password.
>
> As the OP sort of alluded to, the use of ssh-agent should be used as a
> compromise.
>

This is misleading and dangerous:

"SSH keys allow authentication between two hosts without the need of a password."

and should not be the first thing to show readers for how to use SSH.

"During the process you will be prompted for a password. Simply hit Enter when prompted to create the key."

I read that incorrectly. I read it like "Simply hit Enter when prompted to create the password." Probably because there is no single Enter to use when creating an SSH key and because of the earlier sentence. That should be changed to explain the actual dialog that occurs.

So I recommend the following change:

1. "You should now be able to SSH to the host. Enter the password you used during the key creation process."

Extend it to include ssh-agent:

2. "If you do not want to enter your password for every connection consider using ssh-agent." And then go on to explain how that works and how to implement it.

Basically this entire section should be reviewed.

I had this after upgrading to Xenial. `ssh-add` solved the problem.

I have the same problem,

sign_and_send_pubkey: signing failed: agent refused operation

is displayed if i do a ssh connection to a host,
but i am using a yubikey (a gpg enabled hardware key) that delivers the key. and therefore i cannot do ssh-add
i have a running gpg-agent with
echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
"set | grep SSH " is correct
SSH_AUTH_SOCK=/home/user/.gnupg/S.gpg-agent.ssh

the key with ssh worked in all previous versions of ubuntu

I have the same problem, fixed by doing
$ssh-add
Resource: http://askubuntu.com/a/762558/157406

Installed Xenial 16.04 via debootstrap so I couldhave a zfs root/boot and somehow hit this problem and couldn't figure it out right away. The ssh error message should have a clearer way of deciphering the problem but ssh-add did fix it. Shouldn't this problem be avoided in the ssh-keygen utility or does this user creation case actually make sense somewhere? Thank you.

Found out, that ssh will relay that error if identity that shall be used is a link to actual file.
I have generated RSA keys using OpenSSL and stored them into ~/.ssh/id_rsa.pub.pem and ~/.ssh/id_rsa.key.pem
Then I converted ~/.ssh/id_rsa.pub.pem into OpenSSH format using ssh-keygen
Then I created a link: ln ~/.ssh/id_rsa.key.pem ~/.ssh/id_rsa
Then I edited /etc/ssh/ssh_config such that there was only one line IdentityFile ~/.ssh/id_rsa
Then I tried to log into remote machine - the result was: sign_and_send_pubkey: signing failed: agent refused operation

Maybe I am missing something and there is a configuration option that follows links?

I solved this issue using help from:
https://help.ubuntu.com/community/SSH/OpenSSH/Keys

Encrypted Home Directory was my issue. and it was file permission issue.

Also I needed to run "gpg-agent --daemon --enable-ssh-support" explicitly. Though it was part of yubikey Ubuntu script from here https://developers.yubico.com/PGP/SSH_authentication/

I just ran script again and again and fixed file permissions. Somehow it started working and allowed me to login.

Using Ubuntu 16.04.02.
Yubikey 4 nano

I executed the Ubuntu script at https://developers.yubico.com/PGP/SSH_authentication/ for yubikey 4

I got this message:
gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'

When the PGP agent is running run the following command:

ssh-add

It solved this issue for me.

ssh-add did the thing.