You are not logged in.
After updating, I stopped being able to use SSH:
$ ssh home.me
sign_and_send_pubkey: signing failed for ED25519 "/home/me/.ssh/id_ed25519" from agent: agent refused operation
me@home.me: Permission denied (publickey).
The problem seems to be that SSH_AUTH_SOCK is set to something weird:
echo $SSH_AUTH_SOCK
/run/user/1000/gcr/ssh
I don't know what gcr is. I never installed it explicitly (but I see it's a hard dependency of other packages).
Looking at its units, it has:
/usr/lib/systemd/user/gcr-ssh-agent.socket:ExecStartPost=-/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gcr/ssh
And gcr-ssh-agent.socket is enabled by default:
● gcr-ssh-agent.service - GCR ssh-agent wrapper
Loaded: loaded (/usr/lib/systemd/user/gcr-ssh-agent.service; disabled; preset: enabled)
● gcr-ssh-agent.socket - GCR ssh-agent wrapper
Loaded: loaded (/usr/lib/systemd/user/gcr-ssh-agent.socket; enabled; preset: enabled)
I don't think Arch packages should enable things that break stuff by default.
Last edited by CyberShadow (2024-03-08 13:44:06)
Offline
Yes "should" …
https://wiki.archlinux.org/title/GNOME/ … #Setup_gcr but that's not your poblem: https://wiki.archlinux.org/title/SSH_ke … _operation
Offline
Yes, I disabled injecting DISPLAY into systemd unit environments. I run multiple display servers, so I don't want systemd units talking to some arbitrary one.
However, that misses the point: I don't want to use gcr as the SSH key agent at all. I want to use ssh-agent, which is what seems to be used when SSH_AUTH_SOCK is unset, and which works fine otherwise.
To illustrate:
$ ssh home.me
sign_and_send_pubkey: signing failed for ED25519 "/home/me/.ssh/id_ed25519" from a
me@home.me: Permission denied (publickey).
$ unset SSH_AUTH_SOCK
$ ssh home.me
Enter passphrase for key '/home/me/.ssh/id_ed25519':
You have new mail.
Last login: Fri Mar 8 08:26:32 2024
$
Last edited by CyberShadow (2024-03-08 14:30:16)
Offline
The agent issue is independent of gcr or whatever agent you use.
The preset value there is completey irrelevant unless you ever ran systemctl preset-all (what is not a good idea!)
https://bbs.archlinux.org/viewtopic.php?id=293001
How exactly do you start ssh-agent?
https://wiki.archlinux.org/title/SSH_keys#ssh-agent
If SSH_AUTH_SOCK is unset, ssh-agent won't work either.
The only question is what sets the SSH_AUTH_SOCK and the most likely answer is gnome-keyring?
Edit: w/o that variable you're just not using any agent.
Last edited by seth (2024-03-08 14:34:38)
Offline
The preset value there is completey irrelevant unless you ever ran systemctl preset-all (what is not a good idea!)
https://bbs.archlinux.org/viewtopic.php?id=293001
I see, thank you for the correction.
If SSH_AUTH_SOCK is unset, ssh-agent won't work either.
The only question is what sets the SSH_AUTH_SOCK and the most likely answer is gnome-keyring?
Edit: w/o that variable you're just not using any agent.
You're right! I got confused by also having ControlMaster enabled.
I found why it broke for me: I had
if [[ ! -v SSH_AUTH_SOCK && -v XDG_RUNTIME_DIR && -e "$XDG_RUNTIME_DIR"/ssh-agent.socket ]]
as the condition for setting SSH_AUTH_SOCK to the ssh-agent one. The condition fails now that SSH_AUTH_SOCK is being set by gcr.
Thank you for your help! So that just leaves the question, what is causing the gcr units to start?
Last edited by CyberShadow (2024-03-08 14:42:21)
Offline
The "problem" is that the socket is enabled and it apprently gets triggered by "something" - seems a new thing w/ https://archlinux.org/packages/extra/x86_64/gcr-4/
=>
systemctl --user mask gcr-ssh-agent.socket
Offline