* sign_and_send_pubkey: signing failed: agent refused operation @ 2020-06-01 17:43 Martin Sebor 2020-06-01 18:10 ` Frank Ch. Eigler 0 siblings, 1 reply; 13+ messages in thread From: Martin Sebor @ 2020-06-01 17:43 UTC (permalink / raw) To: Overseers mailing list, gcc mailing list git pull from the GCC and Glibc repos is failing for me with the error below. It worked fine last week and I haven't made any changes to my ssh keys. Is this a transient glitch or has something changed recently that I need to make some adjustments for? sign_and_send_pubkey: signing failed: agent refused operation msebor@gcc.gnu.org: Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. Thanks Martin ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: sign_and_send_pubkey: signing failed: agent refused operation 2020-06-01 17:43 sign_and_send_pubkey: signing failed: agent refused operation Martin Sebor @ 2020-06-01 18:10 ` Frank Ch. Eigler 2020-06-01 19:12 ` Jonathan Wakely 2020-06-01 19:14 ` Martin Sebor 0 siblings, 2 replies; 13+ messages in thread From: Frank Ch. Eigler @ 2020-06-01 18:10 UTC (permalink / raw) To: Overseers mailing list; +Cc: gcc mailing list, Martin Sebor Hi - > git pull from the GCC and Glibc repos is failing for me with the error > below. It worked fine last week and I haven't made any changes to my > ssh keys. And are you logging in from the same workstation with access to the same set of ssh private keys? > Is this a transient glitch or has something changed recently that I > need to make some adjustments for? I know of nothing relevant that has changed on the sourceware side. > sign_and_send_pubkey: signing failed: agent refused operation > msebor@gcc.gnu.org: Permission denied (publickey). > fatal: Could not read from remote repository. The usual advice is to run % ssh -vv gcc.gnu.org alive and report the ssh level error. "agent refused operation" sounds like a problem on the client end. - FChE ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: sign_and_send_pubkey: signing failed: agent refused operation 2020-06-01 18:10 ` Frank Ch. Eigler @ 2020-06-01 19:12 ` Jonathan Wakely 2020-06-02 20:26 ` Martin Sebor 2020-06-01 19:14 ` Martin Sebor 1 sibling, 1 reply; 13+ messages in thread From: Jonathan Wakely @ 2020-06-01 19:12 UTC (permalink / raw) To: Frank Ch. Eigler; +Cc: Overseers mailing list, gcc mailing list On Mon, 1 Jun 2020 at 19:11, Frank Ch. Eigler via Gcc <gcc@gcc.gnu.org> wrote: > > Hi - > > > git pull from the GCC and Glibc repos is failing for me with the error > > below. It worked fine last week and I haven't made any changes to my > > ssh keys. > > And are you logging in from the same workstation with access to the same > set of ssh private keys? > > > Is this a transient glitch or has something changed recently that I > > need to make some adjustments for? > > I know of nothing relevant that has changed on the sourceware side. > > > sign_and_send_pubkey: signing failed: agent refused operation > > msebor@gcc.gnu.org: Permission denied (publickey). > > fatal: Could not read from remote repository. > > The usual advice is to run % ssh -vv gcc.gnu.org alive > and report the ssh level error. > > "agent refused operation" sounds like a problem on the client end. Yes, it is. "agent" refers to the ssh-agent program. Martin, what does 'ssh-add -l' show? Is there only one ssh-agent process shown by 'ps -ef | fgrep [s]sh-agent'? Does its PID match $SSH_AGENT_PID? Another possible cause is that the file permissions are not strict enough on the private key, or on the ~/.ssh directory that contains it. Key files should be 600 and ~/.ssh should be 700. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: sign_and_send_pubkey: signing failed: agent refused operation 2020-06-01 19:12 ` Jonathan Wakely @ 2020-06-02 20:26 ` Martin Sebor 2020-06-02 20:43 ` Jonathan Wakely 0 siblings, 1 reply; 13+ messages in thread From: Martin Sebor @ 2020-06-02 20:26 UTC (permalink / raw) To: Overseers mailing list, Frank Ch. Eigler Cc: Jonathan Wakely, gcc mailing list On 6/1/20 1:12 PM, Jonathan Wakely via Overseers wrote: > On Mon, 1 Jun 2020 at 19:11, Frank Ch. Eigler via Gcc <gcc@gcc.gnu.org> wrote: >> >> Hi - >> >>> git pull from the GCC and Glibc repos is failing for me with the error >>> below. It worked fine last week and I haven't made any changes to my >>> ssh keys. >> >> And are you logging in from the same workstation with access to the same >> set of ssh private keys? >> >>> Is this a transient glitch or has something changed recently that I >>> need to make some adjustments for? >> >> I know of nothing relevant that has changed on the sourceware side. >> >>> sign_and_send_pubkey: signing failed: agent refused operation >>> msebor@gcc.gnu.org: Permission denied (publickey). >>> fatal: Could not read from remote repository. >> >> The usual advice is to run % ssh -vv gcc.gnu.org alive >> and report the ssh level error. >> >> "agent refused operation" sounds like a problem on the client end. > > Yes, it is. "agent" refers to the ssh-agent program. > > Martin, what does 'ssh-add -l' show? > > Is there only one ssh-agent process shown by 'ps -ef | fgrep > [s]sh-agent'? Does its PID match $SSH_AGENT_PID? > > Another possible cause is that the file permissions are not strict > enough on the private key, or on the ~/.ssh directory that contains > it. Key files should be 600 and ~/.ssh should be 700. We solved the problem over IRC last night so just to close the loop on it here: it turned out to be caused by Gnome keyring setting SSH_AUTH_SOCK=/run/user/1000/keyring/ssh. With the environment variable undefined I get prompted for the password as expected. Thank you both again for your help in getting to the bottom of it! Martin ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: sign_and_send_pubkey: signing failed: agent refused operation 2020-06-02 20:26 ` Martin Sebor @ 2020-06-02 20:43 ` Jonathan Wakely 2020-06-02 21:52 ` Martin Sebor 0 siblings, 1 reply; 13+ messages in thread From: Jonathan Wakely @ 2020-06-02 20:43 UTC (permalink / raw) To: Martin Sebor; +Cc: Overseers mailing list, Frank Ch. Eigler, gcc mailing list On Tue, 2 Jun 2020 at 21:26, Martin Sebor <msebor@gmail.com> wrote: > > On 6/1/20 1:12 PM, Jonathan Wakely via Overseers wrote: > > On Mon, 1 Jun 2020 at 19:11, Frank Ch. Eigler via Gcc <gcc@gcc.gnu.org> wrote: > >> > >> Hi - > >> > >>> git pull from the GCC and Glibc repos is failing for me with the error > >>> below. It worked fine last week and I haven't made any changes to my > >>> ssh keys. > >> > >> And are you logging in from the same workstation with access to the same > >> set of ssh private keys? > >> > >>> Is this a transient glitch or has something changed recently that I > >>> need to make some adjustments for? > >> > >> I know of nothing relevant that has changed on the sourceware side. > >> > >>> sign_and_send_pubkey: signing failed: agent refused operation > >>> msebor@gcc.gnu.org: Permission denied (publickey). > >>> fatal: Could not read from remote repository. > >> > >> The usual advice is to run % ssh -vv gcc.gnu.org alive > >> and report the ssh level error. > >> > >> "agent refused operation" sounds like a problem on the client end. > > > > Yes, it is. "agent" refers to the ssh-agent program. > > > > Martin, what does 'ssh-add -l' show? > > > > Is there only one ssh-agent process shown by 'ps -ef | fgrep > > [s]sh-agent'? Does its PID match $SSH_AGENT_PID? > > > > Another possible cause is that the file permissions are not strict > > enough on the private key, or on the ~/.ssh directory that contains > > it. Key files should be 600 and ~/.ssh should be 700. > > We solved the problem over IRC last night so just to close the loop > on it here: it turned out to be caused by Gnome keyring setting > SSH_AUTH_SOCK=/run/user/1000/keyring/ssh. With the environment > variable undefined I get prompted for the password as expected. But that just means you're not using an agent, right? Do you really want to enter a passphrase every time you connect to gcc.gnu.org? Solving it by the GNOME keyring would match Jim's suggestion that the GNOME keyring won't use your key. You could generate a new 4K key that GNOME keyring will accept, upload the public key to gcc.gnu.org, and use that instead. Then you could use the keyring as your agent. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: sign_and_send_pubkey: signing failed: agent refused operation 2020-06-02 20:43 ` Jonathan Wakely @ 2020-06-02 21:52 ` Martin Sebor 0 siblings, 0 replies; 13+ messages in thread From: Martin Sebor @ 2020-06-02 21:52 UTC (permalink / raw) To: Jonathan Wakely Cc: Overseers mailing list, Frank Ch. Eigler, gcc mailing list On 6/2/20 2:43 PM, Jonathan Wakely wrote: > On Tue, 2 Jun 2020 at 21:26, Martin Sebor <msebor@gmail.com> wrote: >> >> On 6/1/20 1:12 PM, Jonathan Wakely via Overseers wrote: >>> On Mon, 1 Jun 2020 at 19:11, Frank Ch. Eigler via Gcc <gcc@gcc.gnu.org> wrote: >>>> >>>> Hi - >>>> >>>>> git pull from the GCC and Glibc repos is failing for me with the error >>>>> below. It worked fine last week and I haven't made any changes to my >>>>> ssh keys. >>>> >>>> And are you logging in from the same workstation with access to the same >>>> set of ssh private keys? >>>> >>>>> Is this a transient glitch or has something changed recently that I >>>>> need to make some adjustments for? >>>> >>>> I know of nothing relevant that has changed on the sourceware side. >>>> >>>>> sign_and_send_pubkey: signing failed: agent refused operation >>>>> msebor@gcc.gnu.org: Permission denied (publickey). >>>>> fatal: Could not read from remote repository. >>>> >>>> The usual advice is to run % ssh -vv gcc.gnu.org alive >>>> and report the ssh level error. >>>> >>>> "agent refused operation" sounds like a problem on the client end. >>> >>> Yes, it is. "agent" refers to the ssh-agent program. >>> >>> Martin, what does 'ssh-add -l' show? >>> >>> Is there only one ssh-agent process shown by 'ps -ef | fgrep >>> [s]sh-agent'? Does its PID match $SSH_AGENT_PID? >>> >>> Another possible cause is that the file permissions are not strict >>> enough on the private key, or on the ~/.ssh directory that contains >>> it. Key files should be 600 and ~/.ssh should be 700. >> >> We solved the problem over IRC last night so just to close the loop >> on it here: it turned out to be caused by Gnome keyring setting >> SSH_AUTH_SOCK=/run/user/1000/keyring/ssh. With the environment >> variable undefined I get prompted for the password as expected. > > But that just means you're not using an agent, right? It just means I know what's causing the problem. Until just now I haven't thought about how to deal with it in a smarter way than by remembering to run ssh-add either first, or when I see the error. > > Do you really want to enter a passphrase every time you connect to gcc.gnu.org? Ideally, I'd prefer never to have to enter it but until that happy day comes I'll settle for just typing it in once a day. > > Solving it by the GNOME keyring would match Jim's suggestion that the > GNOME keyring won't use your key. > > You could generate a new 4K key that GNOME keyring will accept, upload > the public key to gcc.gnu.org, and use that instead. Then you could > use the keyring as your agent. I just saw Jim's email. I'll see if going to 4k keys works. Thanks Martin ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: sign_and_send_pubkey: signing failed: agent refused operation 2020-06-01 18:10 ` Frank Ch. Eigler 2020-06-01 19:12 ` Jonathan Wakely @ 2020-06-01 19:14 ` Martin Sebor 2020-06-01 19:25 ` Jonathan Wakely 1 sibling, 1 reply; 13+ messages in thread From: Martin Sebor @ 2020-06-01 19:14 UTC (permalink / raw) To: Frank Ch. Eigler, Overseers mailing list; +Cc: gcc mailing list On 6/1/20 12:10 PM, Frank Ch. Eigler wrote: > Hi - > >> git pull from the GCC and Glibc repos is failing for me with the error >> below. It worked fine last week and I haven't made any changes to my >> ssh keys. > > And are you logging in from the same workstation with access to the same > set of ssh private keys? Yes. > >> Is this a transient glitch or has something changed recently that I >> need to make some adjustments for? > > I know of nothing relevant that has changed on the sourceware side. > >> sign_and_send_pubkey: signing failed: agent refused operation >> msebor@gcc.gnu.org: Permission denied (publickey). >> fatal: Could not read from remote repository. > > The usual advice is to run % ssh -vv gcc.gnu.org alive > and report the ssh level error. > > "agent refused operation" sounds like a problem on the client end. Until last week, when I ran git pull from the GCC or Glibc repo I'd get prompted for my password. I'd either type it in or hit ctrl-C, enter ssh-add, and start over. After deleting ~/.ssh/known_hosts to resolve the problem I asked about last week (Re: ssh key conflicts), I'm no longer prompted for my password. Instead, I get the error above. Both of this is new (I think since the recent server changes). Now that I've seen it and know what to expect I can adjust to it but it seems like things have gotten worse. Certainly the errors I got in both instances (i.e., last week as well as today) are not helpful. I captured the ssh -vv gcc.gnu.org output below for a successful invocation and a failed one if that sheds more light on why it's failing in (to me) a mysterious way. Successful authentication: debug1: Will attempt key: /home/msebor/.ssh/id_rsa RSA SHA256:law7uJ+wmAP4krZHnB0tLJ8M+ySmMCclh7mRB9Dlja4 agent debug1: Will attempt key: /home/msebor/.ssh/id_ecdsa debug1: Will attempt key: /home/msebor/.ssh/id_ed25519 debug1: Will attempt key: /home/msebor/.ssh/id_xmss debug2: pubkey_prepare: done debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/msebor/.ssh/id_rsa RSA SHA256:law7uJ+wmAP4krZHnB0tLJ8M+ySmMCclh7mRB9Dlja4 agent debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: /home/msebor/.ssh/id_rsa RSA SHA256:law7uJ+wmAP4krZHnB0tLJ8M+ySmMCclh7mRB9Dlja4 agent debug1: Authentication succeeded (publickey). Authenticated to gcc.gnu.org ([8.43.85.97]:22). Failed authentication (after ssh-add -D): debug1: Will attempt key: /home/msebor/.ssh/id_rsa RSA SHA256:law7uJ+wmAP4krZHnB0tLJ8M+ySmMCclh7mRB9Dlja4 agent debug1: Will attempt key: /home/msebor/.ssh/id_ecdsa debug1: Will attempt key: /home/msebor/.ssh/id_ed25519 debug1: Will attempt key: /home/msebor/.ssh/id_xmss debug2: pubkey_prepare: done debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/msebor/.ssh/id_rsa RSA SHA256:law7uJ+wmAP4krZHnB0tLJ8M+ySmMCclh7mRB9Dlja4 agent debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: /home/msebor/.ssh/id_rsa RSA SHA256:law7uJ+wmAP4krZHnB0tLJ8M+ySmMCclh7mRB9Dlja4 agent sign_and_send_pubkey: signing failed: agent refused operation debug1: Trying private key: /home/msebor/.ssh/id_ecdsa debug1: Trying private key: /home/msebor/.ssh/id_ed25519 debug1: Trying private key: /home/msebor/.ssh/id_xmss debug2: we did not send a packet, disable method debug1: No more authentication methods to try. msebor@gcc.gnu.org: Permission denied (publickey). Martin ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: sign_and_send_pubkey: signing failed: agent refused operation 2020-06-01 19:14 ` Martin Sebor @ 2020-06-01 19:25 ` Jonathan Wakely 2020-06-01 19:46 ` Martin Sebor 0 siblings, 1 reply; 13+ messages in thread From: Jonathan Wakely @ 2020-06-01 19:25 UTC (permalink / raw) To: Martin Sebor; +Cc: Frank Ch. Eigler, Overseers mailing list, gcc mailing list On Mon, 1 Jun 2020 at 20:16, Martin Sebor via Gcc <gcc@gcc.gnu.org> wrote: > > On 6/1/20 12:10 PM, Frank Ch. Eigler wrote: > > Hi - > > > >> git pull from the GCC and Glibc repos is failing for me with the error > >> below. It worked fine last week and I haven't made any changes to my > >> ssh keys. > > > > And are you logging in from the same workstation with access to the same > > set of ssh private keys? > > Yes. > > > > >> Is this a transient glitch or has something changed recently that I > >> need to make some adjustments for? > > > > I know of nothing relevant that has changed on the sourceware side. > > > >> sign_and_send_pubkey: signing failed: agent refused operation > >> msebor@gcc.gnu.org: Permission denied (publickey). > >> fatal: Could not read from remote repository. > > > > The usual advice is to run % ssh -vv gcc.gnu.org alive > > and report the ssh level error. > > > > "agent refused operation" sounds like a problem on the client end. > > Until last week, when I ran git pull from the GCC or Glibc repo > I'd get prompted for my password. I'd either type it in or hit > ctrl-C, enter ssh-add, and start over. > > After deleting ~/.ssh/known_hosts to resolve the problem I asked > about last week (Re: ssh key conflicts), I'm no longer prompted > for my password. Instead, I get the error above. Is ~/.ssh/known_hosts no longer present? Is ~/.ssh writable by your user? The ssh client (or the agent) will try to create ~/.ssh/known_hosts if it doesn't exist, to add the host key. If ~/.ssh is not writable that will fail. > Both of this is new (I think since the recent server changes). Now The host key did change after the server upgrade, that's expected. The other problem is not caused by the server. > that I've seen it and know what to expect I can adjust to it but it > seems like things have gotten worse. Certainly the errors I got > in both instances (i.e., last week as well as today) are not helpful. SSH errors usually aren't. > I captured the ssh -vv gcc.gnu.org output below for a successful > invocation and a failed one if that sheds more light on why it's > failing in (to me) a mysterious way. The failed attempt shows that your public key is offered to the server, and the server says it will accept it (meaning it matches a ~/.ssh/authorized_keys entry on the server) but then your client refuses to use that key. Check your ~/.ssh and ~/.ssh/id_rsa* permissions. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: sign_and_send_pubkey: signing failed: agent refused operation 2020-06-01 19:25 ` Jonathan Wakely @ 2020-06-01 19:46 ` Martin Sebor 2020-06-01 19:53 ` Frank Ch. Eigler 2020-06-01 22:30 ` Jonathan Wakely 0 siblings, 2 replies; 13+ messages in thread From: Martin Sebor @ 2020-06-01 19:46 UTC (permalink / raw) To: Jonathan Wakely Cc: Frank Ch. Eigler, Overseers mailing list, gcc mailing list On 6/1/20 1:25 PM, Jonathan Wakely wrote: > On Mon, 1 Jun 2020 at 20:16, Martin Sebor via Gcc <gcc@gcc.gnu.org> wrote: >> >> On 6/1/20 12:10 PM, Frank Ch. Eigler wrote: >>> Hi - >>> >>>> git pull from the GCC and Glibc repos is failing for me with the error >>>> below. It worked fine last week and I haven't made any changes to my >>>> ssh keys. >>> >>> And are you logging in from the same workstation with access to the same >>> set of ssh private keys? >> >> Yes. >> >>> >>>> Is this a transient glitch or has something changed recently that I >>>> need to make some adjustments for? >>> >>> I know of nothing relevant that has changed on the sourceware side. >>> >>>> sign_and_send_pubkey: signing failed: agent refused operation >>>> msebor@gcc.gnu.org: Permission denied (publickey). >>>> fatal: Could not read from remote repository. >>> >>> The usual advice is to run % ssh -vv gcc.gnu.org alive >>> and report the ssh level error. >>> >>> "agent refused operation" sounds like a problem on the client end. >> >> Until last week, when I ran git pull from the GCC or Glibc repo >> I'd get prompted for my password. I'd either type it in or hit >> ctrl-C, enter ssh-add, and start over. >> >> After deleting ~/.ssh/known_hosts to resolve the problem I asked >> about last week (Re: ssh key conflicts), I'm no longer prompted >> for my password. Instead, I get the error above. > > Is ~/.ssh/known_hosts no longer present? Is ~/.ssh writable by your > user? The ssh client (or the agent) will try to create > ~/.ssh/known_hosts if it doesn't exist, to add the host key. If ~/.ssh > is not writable that will fail. ~/.ssh/known_hosts exists and ~/.ssh is rwx only by the owner. Everything works fine if I add my key by running ssh-add. What's not so great is the errors I get when I forget to do that: "agent refused operation?" > >> Both of this is new (I think since the recent server changes). Now > > The host key did change after the server upgrade, that's expected. The > other problem is not caused by the server. > >> that I've seen it and know what to expect I can adjust to it but it >> seems like things have gotten worse. Certainly the errors I got >> in both instances (i.e., last week as well as today) are not helpful. > > SSH errors usually aren't. > >> I captured the ssh -vv gcc.gnu.org output below for a successful >> invocation and a failed one if that sheds more light on why it's >> failing in (to me) a mysterious way. > > The failed attempt shows that your public key is offered to the > server, and the server says it will accept it (meaning it matches a > ~/.ssh/authorized_keys entry on the server) but then your client > refuses to use that key. > > Check your ~/.ssh and ~/.ssh/id_rsa* permissions. They're all rw by the owner only. Nothing has changed on my end (except that I removed/recreated ~/.ssh/known_hosts to avoid some mysterious problems last week). I have it working now so I don't want to use up too much of anyone else's time trying to debug things. It just feels like too much of a coincidence that I started having these problems only after the recent server upgrade. If something jumps out at someone as a problem or missing setting on the server end, tweaking that to improve things going forward that would be great. Otherwise, let's just chalk it up to the usual joys of upgrading to "new and improved" versions of software. Martin ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: sign_and_send_pubkey: signing failed: agent refused operation 2020-06-01 19:46 ` Martin Sebor @ 2020-06-01 19:53 ` Frank Ch. Eigler 2020-06-01 22:33 ` Martin Sebor 2020-06-01 22:30 ` Jonathan Wakely 1 sibling, 1 reply; 13+ messages in thread From: Frank Ch. Eigler @ 2020-06-01 19:53 UTC (permalink / raw) To: Martin Sebor; +Cc: Jonathan Wakely, Overseers mailing list, gcc mailing list Hi - > ~/.ssh/known_hosts exists and ~/.ssh is rwx only by the owner. > Everything works fine if I add my key by running ssh-add. What's > not so great is the errors I get when I forget to do that: "agent > refused operation?" Yeah, there is something odd on your side. Maybe your ssh client is unable to find the right private key - maybe it's named non-default? If so, add it to your .ssh/config Host gcc.gnu.org sourceware.org IdentifyFile ~/.ssh/id_XYZ > It just feels like too much of a coincidence that I started having > these problems only after the recent server upgrade. [...] I'm afraid it does look like a coincidence. - FChE ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: sign_and_send_pubkey: signing failed: agent refused operation 2020-06-01 19:53 ` Frank Ch. Eigler @ 2020-06-01 22:33 ` Martin Sebor 2020-06-02 20:00 ` Jim Wilson 0 siblings, 1 reply; 13+ messages in thread From: Martin Sebor @ 2020-06-01 22:33 UTC (permalink / raw) To: Frank Ch. Eigler Cc: Jonathan Wakely, Overseers mailing list, gcc mailing list On 6/1/20 1:53 PM, Frank Ch. Eigler wrote: > Hi - > >> ~/.ssh/known_hosts exists and ~/.ssh is rwx only by the owner. >> Everything works fine if I add my key by running ssh-add. What's >> not so great is the errors I get when I forget to do that: "agent >> refused operation?" > > Yeah, there is something odd on your side. Maybe your ssh client is > unable to find the right private key - maybe it's named non-default? > If so, add it to your .ssh/config > > Host gcc.gnu.org sourceware.org > IdentifyFile ~/.ssh/id_XYZ > >> It just feels like too much of a coincidence that I started having >> these problems only after the recent server upgrade. [...] > > I'm afraid it does look like a coincidence. So it sounds like you wouldn't expect the "agent refused operation" error either, and it's not just a poor error message that I should learn to live with. That makes me think I should try to figure out what's wrong. I think the ~/.ssh/ contents are pretty standard: $ ls -l ~/.ssh/ total 32 -rw-------. 1 msebor msebor 998 Jan 3 2019 authorized_keys -rw-------. 1 msebor msebor 1381 Jan 3 2019 id_dsa -rw-------. 1 msebor msebor 603 Jan 3 2019 id_dsa.pub -rw-------. 1 msebor msebor 1876 Dec 18 2018 id_rsa -rw-------. 1 msebor msebor 395 Dec 18 2018 id_rsa.pub -rw-------. 1 msebor msebor 187 Jun 1 13:41 known_hosts I'm not a Git or ssh power user so I don't change default settings unless I absolutely have to. It's also been a while since I updated my workstation so I can't think of anything that could be behind this. Do you have any suggestions what else to look at? Martin ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: sign_and_send_pubkey: signing failed: agent refused operation 2020-06-01 22:33 ` Martin Sebor @ 2020-06-02 20:00 ` Jim Wilson 0 siblings, 0 replies; 13+ messages in thread From: Jim Wilson @ 2020-06-02 20:00 UTC (permalink / raw) To: Martin Sebor; +Cc: Frank Ch. Eigler, gcc mailing list, Overseers mailing list On Mon, Jun 1, 2020 at 3:33 PM Martin Sebor via Gcc <gcc@gcc.gnu.org> wrote: > So it sounds like you wouldn't expect the "agent refused operation" > error either, and it's not just a poor error message that I should > learn to live with. That makes me think I should try to figure out > what's wrong. I think the ~/.ssh/ contents are pretty standard: My experience with Ubuntu 18.04 is that 2K bit keys aren't accepted by something (gnome UI?) anymore. I had to upgrade to 4K bit keys. Though oddly ssh-keygen still generates 2K bit keys by default even though they won't be accepted by the gnome UI (or whatever). The work around is to run ssh-add manually to register your 2K bit key, because ssh-add will still accept 2K bit keys, and then ssh will work, and can be used to install a 4K bit public key on the other side, and then things will work normally again. A web search suggested that there was some security problem with 2K bit keys and apparently they are trying to force people to upgrade, but the inconsistent approach here between different packages makes this confusing as to what is actually going on. Jim ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: sign_and_send_pubkey: signing failed: agent refused operation 2020-06-01 19:46 ` Martin Sebor 2020-06-01 19:53 ` Frank Ch. Eigler @ 2020-06-01 22:30 ` Jonathan Wakely 1 sibling, 0 replies; 13+ messages in thread From: Jonathan Wakely @ 2020-06-01 22:30 UTC (permalink / raw) To: Martin Sebor; +Cc: Frank Ch. Eigler, Overseers mailing list, gcc mailing list On Mon, 1 Jun 2020 at 20:46, Martin Sebor <msebor@gmail.com> wrote: > > On 6/1/20 1:25 PM, Jonathan Wakely wrote: > > On Mon, 1 Jun 2020 at 20:16, Martin Sebor via Gcc <gcc@gcc.gnu.org> wrote: > >> > >> On 6/1/20 12:10 PM, Frank Ch. Eigler wrote: > >>> Hi - > >>> > >>>> git pull from the GCC and Glibc repos is failing for me with the error > >>>> below. It worked fine last week and I haven't made any changes to my > >>>> ssh keys. > >>> > >>> And are you logging in from the same workstation with access to the same > >>> set of ssh private keys? > >> > >> Yes. > >> > >>> > >>>> Is this a transient glitch or has something changed recently that I > >>>> need to make some adjustments for? > >>> > >>> I know of nothing relevant that has changed on the sourceware side. > >>> > >>>> sign_and_send_pubkey: signing failed: agent refused operation > >>>> msebor@gcc.gnu.org: Permission denied (publickey). > >>>> fatal: Could not read from remote repository. > >>> > >>> The usual advice is to run % ssh -vv gcc.gnu.org alive > >>> and report the ssh level error. > >>> > >>> "agent refused operation" sounds like a problem on the client end. > >> > >> Until last week, when I ran git pull from the GCC or Glibc repo > >> I'd get prompted for my password. I'd either type it in or hit > >> ctrl-C, enter ssh-add, and start over. > >> > >> After deleting ~/.ssh/known_hosts to resolve the problem I asked > >> about last week (Re: ssh key conflicts), I'm no longer prompted > >> for my password. Instead, I get the error above. > > > > Is ~/.ssh/known_hosts no longer present? Is ~/.ssh writable by your > > user? The ssh client (or the agent) will try to create > > ~/.ssh/known_hosts if it doesn't exist, to add the host key. If ~/.ssh > > is not writable that will fail. > > ~/.ssh/known_hosts exists and ~/.ssh is rwx only by the owner. > Everything works fine if I add my key by running ssh-add. What's > not so great is the errors I get when I forget to do that: "agent > refused operation?" Is $SSH_ASKPASS set in your environment? Does running the command it's set to work? Are you using the openssh agent, or something else like gpg-agent or GNOME keyring? It's not a server-side error though. The server can't prevent your agent from prompting you for your key's passphrase. ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2020-06-02 21:52 UTC | newest] Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-06-01 17:43 sign_and_send_pubkey: signing failed: agent refused operation Martin Sebor 2020-06-01 18:10 ` Frank Ch. Eigler 2020-06-01 19:12 ` Jonathan Wakely 2020-06-02 20:26 ` Martin Sebor 2020-06-02 20:43 ` Jonathan Wakely 2020-06-02 21:52 ` Martin Sebor 2020-06-01 19:14 ` Martin Sebor 2020-06-01 19:25 ` Jonathan Wakely 2020-06-01 19:46 ` Martin Sebor 2020-06-01 19:53 ` Frank Ch. Eigler 2020-06-01 22:33 ` Martin Sebor 2020-06-02 20:00 ` Jim Wilson 2020-06-01 22:30 ` Jonathan Wakely
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).