ssh-add does not always unlock ssh keys

Bug #841672 reported by Claudio Moretti
140
This bug affects 28 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Medium
Unassigned

Bug Description

When I execute ssh-add it asks for my keys passwords and confirms that they were unlocked, but when I try to ssh into a server I am asked for my password again via the ssh-askpass-gnome prompt.

Here's an (edited and cut) version of my .ssh/config file:

=====================================================
VisualHostKey yes
Host myhost1
 Hostname myhost1.url
 User user
 PreferredAuthentications publickey
 IdentityFile ~/.ssh/id_dsa
 Compression yes
 Compressionlevel 6

Host myhost2
 Hostname myhost2.url
 User user
 PreferredAuthentications publickey
 Compression no

Host myhost3 myhost4 myhost5
 Hostname myhost3.url
 User user
 PreferredAuthentications publickey
 Compression yes
 Compressionlevel 6

[...]

=====================================================

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: ssh-askpass (not installed)
ProcVersionSignature: Ubuntu 3.0.0-10.16-generic 3.0.4
Uname: Linux 3.0.0-10-generic x86_64
Architecture: amd64
Date: Mon Sep 5 11:29:43 2011
ProcEnviron:
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: ssh-askpass
UpgradeStatus: Upgraded to oneiric on 2011-06-29 (68 days ago)

Revision history for this message
Soren Hansen (soren) wrote :

Is your ssh agent running? What does "echo $SSH_AUTH_SOCK" say?

Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
Claudio Moretti (flyingstar16) wrote :

Here's the output:

claudio@Chuck:~$ echo $SSH_AUTH_SOCK
/tmp/keyring-TjsKLR/ssh

Changed in openssh (Ubuntu):
status: Incomplete → New
Robie Basak (racb)
Changed in openssh (Ubuntu):
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssh (Ubuntu):
status: New → Confirmed
Revision history for this message
Dominik Brodowski (brodowski) wrote :

Please reconsider the importance - it is a quite annoying bug (at least to me).

Revision history for this message
Felix Müller (felix-mueller-w) wrote :

> Please reconsider the importance - it is a quite annoying bug (at least to me).

Same here. We have rather complex tunneling mechanisms where we hop over 5+ systems to get to the target hosts. With a strong (and long) passphrase and some dozen connections a day (remote support) over here this results in a major degradation of productivity.

Revision history for this message
Chris Snyder (csnyder) wrote :

> Please reconsider the importance - it is a quite annoying bug (at least to me).

+1
This bug is very annoying and a drain on productivity.

Revision history for this message
C de-Avillez (hggdh2) wrote :

I just tested it here -- Oneiric, two terminal windows, one running RoxTerm, one under byobu.

On the byobu window:

ssh-add -l
(my key was shown)
ssh-add -D
ssh-add -l
(no keys shown)
ssh test.machine.info
(pop up asking for SSH passphrase; entered it, got in session; ended the session)
ssh test.machine.info
(session opened with no pop-ups; ended the session)
ssh-add -D
ssh-add -l
(no keys shown)
ssh-add
ssh-add -l
(my key was shown)
ssh test.machine.info
(session opened with no pop-ups; ended the the session)

Moved over to the stand-alone RoxTerm; then repeated the tests. To my surprise even *after* adding my SSH key in, when I tried to open the SSH session to the test machine I was still presented with a pop-up asking for the passphrase on *first* SSH. Second SSH session, *without* running 'ssh-add -D', opened the session without a pop-up for passphrase.

Another interesting bit: on the RoxTerm stand-alone, 'ssh-add -D' did *not* clean up the keys in the agent.

Additional findings: SSH-AUTH_SOCK differs on the terminal windows (byobu and RoxTerm):

* Under RoxTerm:

[cerdea-aws]cerdea@xango3:~$ set | grep SSH
SSH_AGENT_PID=2857
SSH_AUTH_SOCK=/tmp/keyring-6fXAtd/ssh
[cerdea-aws]cerdea@xango3:~$

* under byobu:

[cerdea-aws]cerdea@xango3:/build/buildd/ubuntu-qa-tools/vm-tools$ set | grep SSH
SSH_AGENT_PID=2857
SSH_AUTH_SOCK=/home/cerdea/.byobu/.ssh-agent
[cerdea-aws]cerdea@xango3:/build/buildd/ubuntu-qa-tools/vm-tools$

Note that the SSH_AGENT_PID is the same.

Also, I dimly remember something about gnome-keyring and ssh-add. Will try to find out the references.

Setting importance to Medium.

Changed in openssh (Ubuntu):
importance: Low → Medium
summary: - ssh-add does not unlock ssh keys
+ ssh-add does not always unlock ssh keys
Revision history for this message
C de-Avillez (hggdh2) wrote :
Revision history for this message
Danny Howard (dannyman) wrote :

This bug is rather obnoxious.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Very annoying, I run ssh-add and am still prompted for the passphrase by some GUI tool.

Revision history for this message
Holger Krekel (hpk) wrote :

The bug still seems to be present in March 2012 - and is annoying indeed.

Revision history for this message
Hamish Downer (mishd) wrote :

My use case is that I have a script (using tmuxinator) that opens several shells inside tmux and executes ssh in them, all at once. I run ssh-add before starting the script, so that I only have to enter the passphrase once. However with this behaviour I have to enter the passphrase into the gui dialog box multiple times.

After that ssh and the agent work as expected. But I can't seem to unlock the ssh key properly before starting an actual ssh session.

Revision history for this message
Hamish Downer (mishd) wrote :

I found a way to trigger the gnome dialog box directly, so I only have to enter the ssh password once.

I created ~/bin/gssh-add and put the following in it:

SSH_ASK_PASS=/usr/bin/ssh-askpass ssh-add

I then make it executable:

chmod +x ~/bin/gssh-add

And then I launch it using Alt+F2. That triggers the gnome dialog box.

Note that if you run gssh-add from the terminal it will not trigger the gnome dialog box. See the ENVIRONMENT section of the ssh-add man page for details as to why.

Revision history for this message
Paul Willoughby (paul-natyyjkkrqk00) wrote :

Very annoying bug. One way round it is from your terminal prompt do:

$ exec ssh-agent bash

Then `ssh-add` will work as expected.

Revision history for this message
Hamish Downer (mishd) wrote :

Scratch my last workaround (#13). It didn't work. This one does though

Stop gnome-keyring ssh-agent from starting. Then ssh-agent and ssh works as expected.

To stop gnome-keyring ssh-agent from starting do:

    sudo mv /etc/xdg/autostart/gnome-keyring-ssh /etc/xdg/autostart/gnome-keyring-ssh.desktop.disabled

I first posted this, plus a load of stuff about trying to work through the problem at http://askubuntu.com/questions/122824/how-to-manually-trigger-ssh-add-dialog-box/

Revision history for this message
Steve Chadsey (schadsey) wrote :

This bug is present in Ubuntu 13.04.

Revision history for this message
amk (9-launchpad-mikus-sk) wrote :

Ubuntu 16.04 also impacted

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers