sign_and_send_pubkey: signing failed: agent refused operation

sign_and_send_pubkey: signing failed: agent refused operation

[Martin Sebor]

git pull from the GCC and Glibc repos is failing for me with the error
below.  It worked fine last week and I haven't made any changes to my
ssh keys.

Is this a transient glitch or has something changed recently that I
need to make some adjustments for?

sign_and_send_pubkey: signing failed: agent refused operation
msebor@gcc.gnu.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Thanks
Martin

Re: sign_and_send_pubkey: signing failed: agent refused operation

[Frank Ch. Eigler]

Hi -

> git pull from the GCC and Glibc repos is failing for me with the error
> below.  It worked fine last week and I haven't made any changes to my
> ssh keys.

And are you logging in from the same workstation with access to the same
set of ssh private keys?

> Is this a transient glitch or has something changed recently that I
> need to make some adjustments for?

I know of nothing relevant that has changed on the sourceware side.

> sign_and_send_pubkey: signing failed: agent refused operation
> msebor@gcc.gnu.org: Permission denied (publickey).
> fatal: Could not read from remote repository.

The usual advice is to run       % ssh -vv gcc.gnu.org alive
and report the ssh level error.

"agent refused operation" sounds like a problem on the client end.


- FChE

Re: sign_and_send_pubkey: signing failed: agent refused operation

[Jonathan Wakely]

On Mon, 1 Jun 2020 at 19:11, Frank Ch. Eigler via Gcc <gcc@gcc.gnu.org> wrote:
>
> Hi -
>
> > git pull from the GCC and Glibc repos is failing for me with the error
> > below.  It worked fine last week and I haven't made any changes to my
> > ssh keys.
>
> And are you logging in from the same workstation with access to the same
> set of ssh private keys?
>
> > Is this a transient glitch or has something changed recently that I
> > need to make some adjustments for?
>
> I know of nothing relevant that has changed on the sourceware side.
>
> > sign_and_send_pubkey: signing failed: agent refused operation
> > msebor@gcc.gnu.org: Permission denied (publickey).
> > fatal: Could not read from remote repository.
>
> The usual advice is to run       % ssh -vv gcc.gnu.org alive
> and report the ssh level error.
>
> "agent refused operation" sounds like a problem on the client end.

Yes, it is. "agent" refers to the ssh-agent program.

Martin, what does 'ssh-add -l' show?

Is there only one ssh-agent process shown by 'ps -ef | fgrep
[s]sh-agent'? Does its PID match $SSH_AGENT_PID?

Another possible cause is that the file permissions are not strict
enough on the private key, or on the ~/.ssh directory that contains
it. Key files should be 600 and ~/.ssh should be 700.

Re: sign_and_send_pubkey: signing failed: agent refused operation

[Martin Sebor]

On 6/1/20 12:10 PM, Frank Ch. Eigler wrote:
> Hi -
> 
>> git pull from the GCC and Glibc repos is failing for me with the error
>> below.  It worked fine last week and I haven't made any changes to my
>> ssh keys.
> 
> And are you logging in from the same workstation with access to the same
> set of ssh private keys?

Yes.

> 
>> Is this a transient glitch or has something changed recently that I
>> need to make some adjustments for?
> 
> I know of nothing relevant that has changed on the sourceware side.
> 
>> sign_and_send_pubkey: signing failed: agent refused operation
>> msebor@gcc.gnu.org: Permission denied (publickey).
>> fatal: Could not read from remote repository.
> 
> The usual advice is to run       % ssh -vv gcc.gnu.org alive
> and report the ssh level error.
> 
> "agent refused operation" sounds like a problem on the client end.

Until last week, when I ran git pull from the GCC or Glibc repo
I'd get prompted for my password.  I'd either type it in or hit
ctrl-C, enter ssh-add, and start over.

After deleting ~/.ssh/known_hosts to resolve the problem I asked
about last week (Re: ssh key conflicts), I'm no longer prompted
for my password.  Instead, I get the error above.

Both of this is new (I think since the recent server changes).  Now
that I've seen it and know what to expect I can adjust to it but it
seems like things have gotten worse.  Certainly the errors I got
in both instances (i.e., last week as well as today) are not helpful.

I captured the ssh -vv gcc.gnu.org output below for a successful
invocation and a failed one if that sheds more light on why it's
failing in (to me) a mysterious way.

Successful authentication:

debug1: Will attempt key: /home/msebor/.ssh/id_rsa RSA 
SHA256:law7uJ+wmAP4krZHnB0tLJ8M+ySmMCclh7mRB9Dlja4 agent
debug1: Will attempt key: /home/msebor/.ssh/id_ecdsa
debug1: Will attempt key: /home/msebor/.ssh/id_ed25519
debug1: Will attempt key: /home/msebor/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: 
server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/msebor/.ssh/id_rsa RSA 
SHA256:law7uJ+wmAP4krZHnB0tLJ8M+ySmMCclh7mRB9Dlja4 agent
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: /home/msebor/.ssh/id_rsa RSA 
SHA256:law7uJ+wmAP4krZHnB0tLJ8M+ySmMCclh7mRB9Dlja4 agent
debug1: Authentication succeeded (publickey).
Authenticated to gcc.gnu.org ([8.43.85.97]:22).

Failed authentication (after ssh-add -D):

debug1: Will attempt key: /home/msebor/.ssh/id_rsa RSA 
SHA256:law7uJ+wmAP4krZHnB0tLJ8M+ySmMCclh7mRB9Dlja4 agent
debug1: Will attempt key: /home/msebor/.ssh/id_ecdsa
debug1: Will attempt key: /home/msebor/.ssh/id_ed25519
debug1: Will attempt key: /home/msebor/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: 
server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/msebor/.ssh/id_rsa RSA 
SHA256:law7uJ+wmAP4krZHnB0tLJ8M+ySmMCclh7mRB9Dlja4 agent
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: /home/msebor/.ssh/id_rsa RSA 
SHA256:law7uJ+wmAP4krZHnB0tLJ8M+ySmMCclh7mRB9Dlja4 agent
sign_and_send_pubkey: signing failed: agent refused operation
debug1: Trying private key: /home/msebor/.ssh/id_ecdsa
debug1: Trying private key: /home/msebor/.ssh/id_ed25519
debug1: Trying private key: /home/msebor/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
msebor@gcc.gnu.org: Permission denied (publickey).

Martin

Re: sign_and_send_pubkey: signing failed: agent refused operation

[Jonathan Wakely]

On Mon, 1 Jun 2020 at 20:16, Martin Sebor via Gcc <gcc@gcc.gnu.org> wrote:
>
> On 6/1/20 12:10 PM, Frank Ch. Eigler wrote:
> > Hi -
> >
> >> git pull from the GCC and Glibc repos is failing for me with the error
> >> below.  It worked fine last week and I haven't made any changes to my
> >> ssh keys.
> >
> > And are you logging in from the same workstation with access to the same
> > set of ssh private keys?
>
> Yes.
>
> >
> >> Is this a transient glitch or has something changed recently that I
> >> need to make some adjustments for?
> >
> > I know of nothing relevant that has changed on the sourceware side.
> >
> >> sign_and_send_pubkey: signing failed: agent refused operation
> >> msebor@gcc.gnu.org: Permission denied (publickey).
> >> fatal: Could not read from remote repository.
> >
> > The usual advice is to run       % ssh -vv gcc.gnu.org alive
> > and report the ssh level error.
> >
> > "agent refused operation" sounds like a problem on the client end.
>
> Until last week, when I ran git pull from the GCC or Glibc repo
> I'd get prompted for my password.  I'd either type it in or hit
> ctrl-C, enter ssh-add, and start over.
>
> After deleting ~/.ssh/known_hosts to resolve the problem I asked
> about last week (Re: ssh key conflicts), I'm no longer prompted
> for my password.  Instead, I get the error above.

Is ~/.ssh/known_hosts no longer present? Is ~/.ssh writable by your
user? The ssh client (or the agent) will try to create
~/.ssh/known_hosts if it doesn't exist, to add the host key. If ~/.ssh
is not writable that will fail.

> Both of this is new (I think since the recent server changes).  Now

The host key did change after the server upgrade, that's expected. The
other problem is not caused by the server.

> that I've seen it and know what to expect I can adjust to it but it
> seems like things have gotten worse.  Certainly the errors I got
> in both instances (i.e., last week as well as today) are not helpful.

SSH errors usually aren't.

> I captured the ssh -vv gcc.gnu.org output below for a successful
> invocation and a failed one if that sheds more light on why it's
> failing in (to me) a mysterious way.

The failed attempt shows that your public key is offered to the
server, and the server says it will accept it (meaning it matches a
~/.ssh/authorized_keys entry on the server) but then your client
refuses to use that key.

Check your ~/.ssh and ~/.ssh/id_rsa* permissions.

Re: sign_and_send_pubkey: signing failed: agent refused operation

[Martin Sebor]

On 6/1/20 1:25 PM, Jonathan Wakely wrote:
> On Mon, 1 Jun 2020 at 20:16, Martin Sebor via Gcc <gcc@gcc.gnu.org> wrote:
>>
>> On 6/1/20 12:10 PM, Frank Ch. Eigler wrote:
>>> Hi -
>>>
>>>> git pull from the GCC and Glibc repos is failing for me with the error
>>>> below.  It worked fine last week and I haven't made any changes to my
>>>> ssh keys.
>>>
>>> And are you logging in from the same workstation with access to the same
>>> set of ssh private keys?
>>
>> Yes.
>>
>>>
>>>> Is this a transient glitch or has something changed recently that I
>>>> need to make some adjustments for?
>>>
>>> I know of nothing relevant that has changed on the sourceware side.
>>>
>>>> sign_and_send_pubkey: signing failed: agent refused operation
>>>> msebor@gcc.gnu.org: Permission denied (publickey).
>>>> fatal: Could not read from remote repository.
>>>
>>> The usual advice is to run       % ssh -vv gcc.gnu.org alive
>>> and report the ssh level error.
>>>
>>> "agent refused operation" sounds like a problem on the client end.
>>
>> Until last week, when I ran git pull from the GCC or Glibc repo
>> I'd get prompted for my password.  I'd either type it in or hit
>> ctrl-C, enter ssh-add, and start over.
>>
>> After deleting ~/.ssh/known_hosts to resolve the problem I asked
>> about last week (Re: ssh key conflicts), I'm no longer prompted
>> for my password.  Instead, I get the error above.
> 
> Is ~/.ssh/known_hosts no longer present? Is ~/.ssh writable by your
> user? The ssh client (or the agent) will try to create
> ~/.ssh/known_hosts if it doesn't exist, to add the host key. If ~/.ssh
> is not writable that will fail.

~/.ssh/known_hosts exists and ~/.ssh is rwx only by the owner.
Everything works fine if I add my key by running ssh-add.  What's
not so great is the errors I get when I forget to do that: "agent
refused operation?"

> 
>> Both of this is new (I think since the recent server changes).  Now
> 
> The host key did change after the server upgrade, that's expected. The
> other problem is not caused by the server.
> 
>> that I've seen it and know what to expect I can adjust to it but it
>> seems like things have gotten worse.  Certainly the errors I got
>> in both instances (i.e., last week as well as today) are not helpful.
> 
> SSH errors usually aren't.
> 
>> I captured the ssh -vv gcc.gnu.org output below for a successful
>> invocation and a failed one if that sheds more light on why it's
>> failing in (to me) a mysterious way.
> 
> The failed attempt shows that your public key is offered to the
> server, and the server says it will accept it (meaning it matches a
> ~/.ssh/authorized_keys entry on the server) but then your client
> refuses to use that key.
> 
> Check your ~/.ssh and ~/.ssh/id_rsa* permissions.

They're all rw by the owner only.  Nothing has changed on my end
(except that I removed/recreated ~/.ssh/known_hosts to avoid some
mysterious problems last week).

I have it working now so I don't want to use up too much of anyone
else's time trying to debug things.  It just feels like too much
of a coincidence that I started having these problems only after
the recent server upgrade.  If something jumps out at someone as
a problem or missing setting on the server end, tweaking that to
improve things going forward that would be great.  Otherwise,
let's just chalk it up to the usual joys of upgrading to "new
and improved" versions of software.

Martin

Re: sign_and_send_pubkey: signing failed: agent refused operation

[Frank Ch. Eigler]

Hi -

> ~/.ssh/known_hosts exists and ~/.ssh is rwx only by the owner.
> Everything works fine if I add my key by running ssh-add.  What's
> not so great is the errors I get when I forget to do that: "agent
> refused operation?"

Yeah, there is something odd on your side.  Maybe your ssh client is
unable to find the right private key - maybe it's named non-default?
If so, add it to your .ssh/config

   Host gcc.gnu.org sourceware.org
       IdentifyFile ~/.ssh/id_XYZ

> It just feels like too much of a coincidence that I started having
> these problems only after the recent server upgrade.  [...]

I'm afraid it does look like a coincidence.

- FChE

Re: sign_and_send_pubkey: signing failed: agent refused operation

[Jonathan Wakely]

On Mon, 1 Jun 2020 at 20:46, Martin Sebor <msebor@gmail.com> wrote:
>
> On 6/1/20 1:25 PM, Jonathan Wakely wrote:
> > On Mon, 1 Jun 2020 at 20:16, Martin Sebor via Gcc <gcc@gcc.gnu.org> wrote:
> >>
> >> On 6/1/20 12:10 PM, Frank Ch. Eigler wrote:
> >>> Hi -
> >>>
> >>>> git pull from the GCC and Glibc repos is failing for me with the error
> >>>> below.  It worked fine last week and I haven't made any changes to my
> >>>> ssh keys.
> >>>
> >>> And are you logging in from the same workstation with access to the same
> >>> set of ssh private keys?
> >>
> >> Yes.
> >>
> >>>
> >>>> Is this a transient glitch or has something changed recently that I
> >>>> need to make some adjustments for?
> >>>
> >>> I know of nothing relevant that has changed on the sourceware side.
> >>>
> >>>> sign_and_send_pubkey: signing failed: agent refused operation
> >>>> msebor@gcc.gnu.org: Permission denied (publickey).
> >>>> fatal: Could not read from remote repository.
> >>>
> >>> The usual advice is to run       % ssh -vv gcc.gnu.org alive
> >>> and report the ssh level error.
> >>>
> >>> "agent refused operation" sounds like a problem on the client end.
> >>
> >> Until last week, when I ran git pull from the GCC or Glibc repo
> >> I'd get prompted for my password.  I'd either type it in or hit
> >> ctrl-C, enter ssh-add, and start over.
> >>
> >> After deleting ~/.ssh/known_hosts to resolve the problem I asked
> >> about last week (Re: ssh key conflicts), I'm no longer prompted
> >> for my password.  Instead, I get the error above.
> >
> > Is ~/.ssh/known_hosts no longer present? Is ~/.ssh writable by your
> > user? The ssh client (or the agent) will try to create
> > ~/.ssh/known_hosts if it doesn't exist, to add the host key. If ~/.ssh
> > is not writable that will fail.
>
> ~/.ssh/known_hosts exists and ~/.ssh is rwx only by the owner.
> Everything works fine if I add my key by running ssh-add.  What's
> not so great is the errors I get when I forget to do that: "agent
> refused operation?"

Is $SSH_ASKPASS set in your environment? Does running the command it's
set to work?

Are you using the openssh agent, or something else like gpg-agent or
GNOME keyring?

It's not a server-side error though. The server can't prevent your
agent from prompting you for your key's passphrase.

Re: sign_and_send_pubkey: signing failed: agent refused operation

[Martin Sebor]

On 6/1/20 1:53 PM, Frank Ch. Eigler wrote:
> Hi -
> 
>> ~/.ssh/known_hosts exists and ~/.ssh is rwx only by the owner.
>> Everything works fine if I add my key by running ssh-add.  What's
>> not so great is the errors I get when I forget to do that: "agent
>> refused operation?"
> 
> Yeah, there is something odd on your side.  Maybe your ssh client is
> unable to find the right private key - maybe it's named non-default?
> If so, add it to your .ssh/config
> 
>     Host gcc.gnu.org sourceware.org
>         IdentifyFile ~/.ssh/id_XYZ
> 
>> It just feels like too much of a coincidence that I started having
>> these problems only after the recent server upgrade.  [...]
> 
> I'm afraid it does look like a coincidence.

So it sounds like you wouldn't expect the "agent refused operation"
error either, and it's not just a poor error message that I should
learn to live with.  That makes me think I should try to figure out
what's wrong.  I think the ~/.ssh/ contents are pretty standard:

$ ls -l ~/.ssh/
total 32
-rw-------. 1 msebor msebor  998 Jan  3  2019 authorized_keys
-rw-------. 1 msebor msebor 1381 Jan  3  2019 id_dsa
-rw-------. 1 msebor msebor  603 Jan  3  2019 id_dsa.pub
-rw-------. 1 msebor msebor 1876 Dec 18  2018 id_rsa
-rw-------. 1 msebor msebor  395 Dec 18  2018 id_rsa.pub
-rw-------. 1 msebor msebor  187 Jun  1 13:41 known_hosts

I'm not a Git or ssh power user so I don't change default settings
unless I absolutely have to.  It's also been a while since I updated
my workstation so I can't think of anything that could be behind this.

Do you have any suggestions what else to look at?

Martin

Re: sign_and_send_pubkey: signing failed: agent refused operation

[Jim Wilson]

On Mon, Jun 1, 2020 at 3:33 PM Martin Sebor via Gcc <gcc@gcc.gnu.org> wrote:
> So it sounds like you wouldn't expect the "agent refused operation"
> error either, and it's not just a poor error message that I should
> learn to live with.  That makes me think I should try to figure out
> what's wrong.  I think the ~/.ssh/ contents are pretty standard:

My experience with Ubuntu 18.04 is that 2K bit keys aren't accepted by
something (gnome UI?) anymore.  I had to upgrade to 4K bit keys.
Though oddly ssh-keygen still generates 2K bit keys by default even
though they won't be accepted by the gnome UI (or whatever).  The work
around is to run ssh-add manually to register your 2K bit key, because
ssh-add will still accept 2K bit keys, and then ssh will work, and can
be used to install a 4K bit public key on the other side, and then
things will work normally again.  A web search suggested that there
was some security problem with 2K bit keys and apparently they are
trying to force people to upgrade, but the inconsistent approach here
between different packages makes this confusing as to what is actually
going on.

Jim

Re: sign_and_send_pubkey: signing failed: agent refused operation

[Martin Sebor]

On 6/1/20 1:12 PM, Jonathan Wakely via Overseers wrote:
> On Mon, 1 Jun 2020 at 19:11, Frank Ch. Eigler via Gcc <gcc@gcc.gnu.org> wrote:
>>
>> Hi -
>>
>>> git pull from the GCC and Glibc repos is failing for me with the error
>>> below.  It worked fine last week and I haven't made any changes to my
>>> ssh keys.
>>
>> And are you logging in from the same workstation with access to the same
>> set of ssh private keys?
>>
>>> Is this a transient glitch or has something changed recently that I
>>> need to make some adjustments for?
>>
>> I know of nothing relevant that has changed on the sourceware side.
>>
>>> sign_and_send_pubkey: signing failed: agent refused operation
>>> msebor@gcc.gnu.org: Permission denied (publickey).
>>> fatal: Could not read from remote repository.
>>
>> The usual advice is to run       % ssh -vv gcc.gnu.org alive
>> and report the ssh level error.
>>
>> "agent refused operation" sounds like a problem on the client end.
> 
> Yes, it is. "agent" refers to the ssh-agent program.
> 
> Martin, what does 'ssh-add -l' show?
> 
> Is there only one ssh-agent process shown by 'ps -ef | fgrep
> [s]sh-agent'? Does its PID match $SSH_AGENT_PID?
> 
> Another possible cause is that the file permissions are not strict
> enough on the private key, or on the ~/.ssh directory that contains
> it. Key files should be 600 and ~/.ssh should be 700.

We solved the problem over IRC last night so just to close the loop
on it here: it turned out to be caused by Gnome keyring setting
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh.  With the environment
variable undefined I get prompted for the password as expected.

Thank you both again for your help in getting to the bottom of it!

Martin

Re: sign_and_send_pubkey: signing failed: agent refused operation

[Jonathan Wakely]

On Tue, 2 Jun 2020 at 21:26, Martin Sebor <msebor@gmail.com> wrote:
>
> On 6/1/20 1:12 PM, Jonathan Wakely via Overseers wrote:
> > On Mon, 1 Jun 2020 at 19:11, Frank Ch. Eigler via Gcc <gcc@gcc.gnu.org> wrote:
> >>
> >> Hi -
> >>
> >>> git pull from the GCC and Glibc repos is failing for me with the error
> >>> below.  It worked fine last week and I haven't made any changes to my
> >>> ssh keys.
> >>
> >> And are you logging in from the same workstation with access to the same
> >> set of ssh private keys?
> >>
> >>> Is this a transient glitch or has something changed recently that I
> >>> need to make some adjustments for?
> >>
> >> I know of nothing relevant that has changed on the sourceware side.
> >>
> >>> sign_and_send_pubkey: signing failed: agent refused operation
> >>> msebor@gcc.gnu.org: Permission denied (publickey).
> >>> fatal: Could not read from remote repository.
> >>
> >> The usual advice is to run       % ssh -vv gcc.gnu.org alive
> >> and report the ssh level error.
> >>
> >> "agent refused operation" sounds like a problem on the client end.
> >
> > Yes, it is. "agent" refers to the ssh-agent program.
> >
> > Martin, what does 'ssh-add -l' show?
> >
> > Is there only one ssh-agent process shown by 'ps -ef | fgrep
> > [s]sh-agent'? Does its PID match $SSH_AGENT_PID?
> >
> > Another possible cause is that the file permissions are not strict
> > enough on the private key, or on the ~/.ssh directory that contains
> > it. Key files should be 600 and ~/.ssh should be 700.
>
> We solved the problem over IRC last night so just to close the loop
> on it here: it turned out to be caused by Gnome keyring setting
> SSH_AUTH_SOCK=/run/user/1000/keyring/ssh.  With the environment
> variable undefined I get prompted for the password as expected.

But that just means you're not using an agent, right?

Do you really want to enter a passphrase every time you connect to gcc.gnu.org?

Solving it by the GNOME keyring would match Jim's suggestion that the
GNOME keyring won't use your key.

You could generate a new 4K key that GNOME keyring will accept, upload
the public key to gcc.gnu.org, and use that instead. Then you could
use the keyring as your agent.

Re: sign_and_send_pubkey: signing failed: agent refused operation

[Martin Sebor]

On 6/2/20 2:43 PM, Jonathan Wakely wrote:
> On Tue, 2 Jun 2020 at 21:26, Martin Sebor <msebor@gmail.com> wrote:
>>
>> On 6/1/20 1:12 PM, Jonathan Wakely via Overseers wrote:
>>> On Mon, 1 Jun 2020 at 19:11, Frank Ch. Eigler via Gcc <gcc@gcc.gnu.org> wrote:
>>>>
>>>> Hi -
>>>>
>>>>> git pull from the GCC and Glibc repos is failing for me with the error
>>>>> below.  It worked fine last week and I haven't made any changes to my
>>>>> ssh keys.
>>>>
>>>> And are you logging in from the same workstation with access to the same
>>>> set of ssh private keys?
>>>>
>>>>> Is this a transient glitch or has something changed recently that I
>>>>> need to make some adjustments for?
>>>>
>>>> I know of nothing relevant that has changed on the sourceware side.
>>>>
>>>>> sign_and_send_pubkey: signing failed: agent refused operation
>>>>> msebor@gcc.gnu.org: Permission denied (publickey).
>>>>> fatal: Could not read from remote repository.
>>>>
>>>> The usual advice is to run       % ssh -vv gcc.gnu.org alive
>>>> and report the ssh level error.
>>>>
>>>> "agent refused operation" sounds like a problem on the client end.
>>>
>>> Yes, it is. "agent" refers to the ssh-agent program.
>>>
>>> Martin, what does 'ssh-add -l' show?
>>>
>>> Is there only one ssh-agent process shown by 'ps -ef | fgrep
>>> [s]sh-agent'? Does its PID match $SSH_AGENT_PID?
>>>
>>> Another possible cause is that the file permissions are not strict
>>> enough on the private key, or on the ~/.ssh directory that contains
>>> it. Key files should be 600 and ~/.ssh should be 700.
>>
>> We solved the problem over IRC last night so just to close the loop
>> on it here: it turned out to be caused by Gnome keyring setting
>> SSH_AUTH_SOCK=/run/user/1000/keyring/ssh.  With the environment
>> variable undefined I get prompted for the password as expected.
> 
> But that just means you're not using an agent, right?

It just means I know what's causing the problem.  Until just
now I haven't thought about how to deal with it in a smarter
way than by remembering to run ssh-add either first, or when
I see the error.

> 
> Do you really want to enter a passphrase every time you connect to gcc.gnu.org?

Ideally, I'd prefer never to have to enter it but until that
happy day comes I'll settle for just typing it in once a day.

> 
> Solving it by the GNOME keyring would match Jim's suggestion that the
> GNOME keyring won't use your key.
> 
> You could generate a new 4K key that GNOME keyring will accept, upload
> the public key to gcc.gnu.org, and use that instead. Then you could
> use the keyring as your agent.

I just saw Jim's email.  I'll see if going to 4k keys works.

Thanks
Martin