Mailing List Archive: ssh-agent does not accept all forwarded RSA keys on later versions.

ssh-agent does not accept all forwarded RSA keys on later versions.

Aug 7, 2020, 10:54 AM

Post #1 of 4 (349 views)

Hello,

I've got a problem with newer versions of ssh-agent not accepting all keys
being forwarded to them.

Example:
LOCAL-WORKSTATION
ssh-add -l
4096 SHA256:HFSzrozPapudofYJi8QvXQdA1/vNpFc2iPWH8CGVsEg (none) (RSA)
2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U
/home/matt/.ssh/id_rsa_embedded (RSA)
ssh -V
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017

BROKEN-REMOTE
ssh -A brokenHost
ssh-add -l
2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U
/home/matt/.ssh/id_rsa_embedded (RSA)
ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
Here only one key gets forwarded when there should be two. That's what the
problem is.

WORKING-REMOTE
ssh -A workingHost
ssh-add -l
4096 SHA256:HFSzrozPapudofYJi8QvXQdA1/vNpFc2iPWH8CGVsEg (none) (RSA)
2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U
/home/matt/.ssh/id_rsa_embedded (RSA)
ssh -V
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017

So the problem appears to be that the newer version is not accepting all of
the forwarded keys. I'd like to troubleshoot this and/or file a bug report.
Can you guys point me in the right direction?

Regards
Matt
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-agent does not accept all forwarded RSA keys on later versions. [ In reply to ]

djm at mindrot

Aug 9, 2020, 8:26 PM

Post #2 of 4 (349 views)

Permalink

On Fri, 7 Aug 2020, Matt Schepers wrote:

> Hello,
>
> I've got a problem with newer versions of ssh-agent not accepting all keys
> being forwarded to them.
>
> Example:
> LOCAL-WORKSTATION
> ssh-add -l
> 4096 SHA256:HFSzrozPapudofYJi8QvXQdA1/vNpFc2iPWH8CGVsEg (none) (RSA)
> 2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U
> /home/matt/.ssh/id_rsa_embedded (RSA)
> ssh -V
> OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
>
> BROKEN-REMOTE
> ssh -A brokenHost
> ssh-add -l
> 2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U
> /home/matt/.ssh/id_rsa_embedded (RSA)
> ssh -V
> OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
> Here only one key gets forwarded when there should be two. That's what the
> problem is.
>
> WORKING-REMOTE
> ssh -A workingHost
> ssh-add -l
> 4096 SHA256:HFSzrozPapudofYJi8QvXQdA1/vNpFc2iPWH8CGVsEg (none) (RSA)
> 2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U
> /home/matt/.ssh/id_rsa_embedded (RSA)
> ssh -V
> OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
>
>
> So the problem appears to be that the newer version is not accepting all of
> the forwarded keys. I'd like to troubleshoot this and/or file a bug report.
> Can you guys point me in the right direction?

Could you post the entire key that is not being forwarded and not
just the fingerprint?

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-agent does not accept all forwarded RSA keys on later versions. [ In reply to ]

jjelen at redhat

Aug 9, 2020, 11:55 PM

Post #3 of 4 (349 views)

Permalink

On Fri, 2020-08-07 at 11:54 -0600, Matt Schepers wrote:
> Hello,
>
> I've got a problem with newer versions of ssh-agent not accepting all
> keys
> being forwarded to them.
>
> Example:
> LOCAL-WORKSTATION
> ssh-add -l
> 4096 SHA256:HFSzrozPapudofYJi8QvXQdA1/vNpFc2iPWH8CGVsEg (none) (RSA)
> 2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U
> /home/matt/.ssh/id_rsa_embedded (RSA)
> ssh -V
> OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017

What is the ssh-agent you are running on this machine? Is it stock ssh-
agent, gnome-keyring or some other implementation? You should get the
idea from the SSH_AUTH_SOCK environment variable.

Regards,
--
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-agent does not accept all forwarded RSA keys on later versions. [ In reply to ]

mattschepers at gmail

Aug 10, 2020, 7:32 AM

Post #4 of 4 (349 views)

Permalink

I am running gpg-agent locally. Two keys are served from gpg-agent: a gpg
created ssh key and a ssh-keygen created key stored in ~/.ssh/id_rsa. The
gpg created key is the one that the remote agent wouldn't accept, and my
problem is that I wasn't really able to debug it.

By pure dumb luck I removed the package libpam-ssh and the problem
disappeared.

On Mon, Aug 10, 2020 at 12:55 AM Jakub Jelen <jjelen@redhat.com> wrote:

> On Fri, 2020-08-07 at 11:54 -0600, Matt Schepers wrote:
> > Hello,
> >
> > I've got a problem with newer versions of ssh-agent not accepting all
> > keys
> > being forwarded to them.
> >
> > Example:
> > LOCAL-WORKSTATION
> > ssh-add -l
> > 4096 SHA256:HFSzrozPapudofYJi8QvXQdA1/vNpFc2iPWH8CGVsEg (none) (RSA)
> > 2048 SHA256:lbjpmHAYtUO+zaLaKvWVxGNYkXRkOumcoOpLdRSVX/U
> > /home/matt/.ssh/id_rsa_embedded (RSA)
> > ssh -V
> > OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
>
> What is the ssh-agent you are running on this machine? Is it stock ssh-
> agent, gnome-keyring or some other implementation? You should get the
> idea from the SSH_AUTH_SOCK environment variable.
>
> Regards,
> --
> Jakub Jelen
> Senior Software Engineer
> Security Technologies
> Red Hat, Inc.
>
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev