Package: gnome-keyring Version: 3.20.1-1 Severity: important
Hi. Seems gnome-keyring somehow breaks my SSH logins. I have a number of different public keys in ~/.ssh/ and since I've added another one, logins to all nodes that worked previously now fail. As soon as I unset SSH_AUTH_SOCK, which is set to /run/user/1000/keyring/ssh, which in turn seems to be managed by gnome-keyring (or isn't it?) everything works again. ssh with debug info shows the problem: $ ssh -v someHost OpenSSH_7.5p1 Debian-5, OpenSSL 1.0.2l 25 May 2017 debug1: Reading configuration data /home/calestyo/.ssh/config debug1: /home/calestyo/.ssh/config line 22: Applying options for someHost debug1: /home/calestyo/.ssh/config line 145: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 6: Applying options for * debug1: /etc/ssh/ssh_config line 7: Deprecated option "useroaming" /etc/ssh/ssh_config line 141: Unsupported option "rsaauthentication" debug1: Control socket "/home/calestyo/.ssh/channel-mux/foo_root@someHost:22" does not exist debug1: Connecting to kronecker [2a01:snipsnap] port 22. debug1: Connection established. debug1: identity file /home/calestyo/.ssh/id_ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/calestyo/.ssh/id_ed25519-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/calestyo/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/calestyo/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/calestyo/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/calestyo/.ssh/id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.5p1 Debian-5 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5p1 Debian-5 debug1: match: OpenSSH_7.5p1 Debian-5 pat OpenSSH* compat 0x04000000 debug1: Authenticating to kronecker:22 as 'root' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: [email protected] debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ssh-ed25519 SHA256:snipsnap debug1: Host 'kronecker' is known and matches the ED25519 host key. debug1: Found key in /etc/ssh/ssh_known_hosts:18 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/calestyo/.ssh/id_rsa debug1: Authentications that can continue: publickey debug1: Offering RSA public key: calestyo+VNC@snipsnap debug1: Authentications that can continue: publickey debug1: Offering RSA public key: calestyo@snipsnap debug1: Authentications that can continue: publickey debug1: Offering RSA public key: calestyo@snipsnap Received disconnect from 2a01:snipsnap port 22:2: Too many authentication failures It simply tries the wrong keys, not sure why it does that, but ssh_config has a clearly defined order of which keys should be tried an apparently with the gnome-keyring as agent, this somehow doesn't work,... even worse, it presents keys which never added to the agent (neither where I'd have looged in since system start). When nothing special is specified in ssh_config, then the default for IdentityFile, that is "~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa" must be used. btw: Even manually adding the key fails: $ ssh-add .ssh/id_ed25519 Could not add identity ".ssh/id_ed25519": communication with agent failed So seems something is pretty wrong with the agent. Cheers, Chris. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.11.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gnome-keyring depends on: ii dbus-user-session [default-dbus-session-bus] 1.10.20-1 ii dbus-x11 [dbus-session-bus] 1.10.20-1 ii dconf-gsettings-backend [gsettings-backend] 0.26.0-2+b1 ii gcr 3.20.0-5.1 ii libc6 2.24-12 ii libcap-ng0 0.7.7-3+b1 ii libcap2-bin 1:2.25-1 ii libgck-1-0 3.20.0-5.1 ii libgcr-base-3-1 3.20.0-5.1 ii libgcrypt20 1.7.8-2 ii libglib2.0-0 2.52.3-1 ii p11-kit 0.23.7-3 ii pinentry-gnome3 1.0.0-2 Versions of packages gnome-keyring recommends: ii libpam-gnome-keyring 3.20.1-1 gnome-keyring suggests no packages. -- no debconf information
