You are not logged in.
I have a secure shell connection set up to a server. The server is configured to require public key authentication. The client uses gpg-agent for ssh connections with the pinentry programme.
The server is funning Fedora 21. The client is running Arch. Secure shell connections started to be refused today after I installed the upgrades associated with the ABI changes to gcc last night.
This is the output I get when attempting to connect using ssh -v <hostalias>:
OpenSSH_7.1p1, OpenSSL 1.0.2e 3 Dec 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for hostalias
debug1: /etc/ssh/ssh_config line 32: Applying options for *
debug1: Connecting to XXX.XXX.XXX.X [XXX.XXX.XXX.X] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to XXX.XXX.XXX.X:22 as 'username'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:XXXLONGSTRINGXXX
debug1: Host 'XXX.XXX.XXX.X' is known and matches the RSA host key.
debug1: Found key in /home/username/.ssh/known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/username/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Trying private key: /home/username/.ssh/id_dsa
debug1: Trying private key: /home/username/.ssh/id_ecdsa
debug1: Trying private key: /home/username/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).I know that it is somehow not finding or not using my key, but I am not sure what is wrong because I don't understand this well enough. My guess is that it is somehow not using gpg-agent or that gpg-agent is somehow failing to request a password from me, but I don't completely understand the output and I'm not sure what has gotten messed up.
ps shows that gpg-agent is running
4589 ? Ss 0:00 gpg-agent --homedir /home/username/.gnupg --use-standard-socket --daemonThis is controlled by a file in /etc/profile.d which contains this
if [ `whoami` != "root" ]
then
/usr/bin/gpg-connect-agent /bye
fiSsh connections are configured partly in /etc/ssh/ssh_config:
# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# ref.: https://wiki.archlinux.org/index.php/Ssh
# host description
Host hostalias
HostName XXX.XXX.XXX.X
Host XXX.XXX.XXX.X
AddressFamily inet
Compression yes
ControlMaster auto
ControlPath ~/.ssh/socket-%r@%h:%p
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# ref.: https://wiki.archlinux.org/index.php/SSH#Keep_alive
ServerAliveInterval 120The socket etc. seems to be set up for ssh in my GPG home:
drwx------ 10 username username 4.0K Rha 12 03:57 ./
drwx------ 97 username username 12K Rha 12 03:16 ../
-rw-r--r-- 1 username username 0 Tach 30 2014 .gpg-v21-migrated
srwxr-xr-x 1 username username 0 Maw 24 2015 S.dirmngr=
srwxr-xr-x 1 username username 0 Rha 12 02:26 S.gpg-agent=
srwxr-xr-x 1 username username 0 Rha 12 02:26 S.gpg-agent.ssh=
srwxr-xr-x 1 username username 0 Rha 12 02:54 S.scdaemon=
drwx------ 2 username username 4.0K Rha 31 2014 crls.d/
-rw------- 1 username username 483 Gor 4 2004 db.gpg
drwx------ 2 username username 4.0K Rha 31 2014 dirmngr-cache.d/
-rw-r--r-- 1 username username 568 Rha 12 03:12 gpg-agent.conf
-rw-r--r-- 1 username username 8.3K Rha 31 2014 gpg.conf
drwx------ 2 username username 4.0K Tach 30 2014 private-keys-v1.d/
-rw-r--r-- 1 username username 5.3M Maw 24 2015 pubring.kbx
-rw------- 1 username username 600 Maw 24 2015 random_seed
-rw------- 1 username username 143 Med 13 2012 sshcontrol
-rw------- 1 username username 1.3K Maw 24 2015 trustdb.gpg
-rw------- 1 username username 0 Rha 13 2004 trustedkeys.gpgand the permissions look OK, I think, as they do on the ssh directory:
drwx------ 2 username username 4.0K Maw 18 2015 ./
drwx------ 97 username username 12K Rha 12 03:16 ../
-rw------- 1 username username 1.8K Med 11 2012 id_rsa
-rw-r--r-- 1 username username 403 Med 11 2012 id_rsa.pub
-rw-r--r-- 1 username username 395 Tach 8 2013 known_hostsGPG_TTY and SSH_AUTH_SOCK are set in the environment:
GPG_TTY=/dev/pts/9
SSH_AUTH_SOCK=/home/username/.gnupg/S.gpg-agent.sshand tty returns
/dev/pts/9However, I do not get a pin entry dialogue or any other indication that my password is required to authorise use of my private key.
I discovered that gpg-agent.conf still listed pinentry-qt4, so I changed that to pinentry-qt, but I'm not certain that's the problem.
I've also tried rebooting the machine, just in case.
I'm convinced that I'm missing something absolutely obvious and just cannot see it. Could somebody tell me what the problem is or what I should be trying in order to figure that out myself?
EDIT
I said I was missing the obvious. I guess I muddled the order somehow and must have altered the config file after rebooting and failed to run
echo RELOADAGENT | gpg-connect-agentApologies for the noise.
Last edited by cfr (2015-12-12 04:47:15)
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline