Unable to use ssh-agent with confirmation, when logged in on a virtual terminal

Tue Nov 4 09:26:36 EST 2014

On 03/11/14 20:14, Johannes Kastl wrote:
> Good evening,
>
> sorry if this is the wrong list, I found none that seemed to fit better.
It's the right list.

> I am trying to get ssh-add with the -c option to work. But I always
> get this error:
>> Agent admitted failure to sign using the key.
> But to start from the beginning.
>
> #################################
>
> On my linux machines (e.g. laptops, ...) I can login without an X
> session started/used. (...)
(and instead of asking for confirmation, agent requests fail)

> So, I'm puzzled. And I do not know how to debug this. Or where to
> start. Or if I understood something completely wrong about the -c option.
>
> Any hints, tipps, tricks are highly appreciated. If you need more
> information, please dont hesitate to ask.
>
> Thanks in advance.

The reason is hidden inside ssh-add(1):
> -c Indicates that added identities should be subject to confirmation 
> before being used for authentication. Confirmation is performed by the 
> SSH_ASKPASS program
> mentioned below. Successful confirmation is signaled by a zero exit 
> status from the SSH_ASKPASS program, rather than text entered into the 
> requester.

> DISPLAY and SSH_ASKPASS
> If ssh-add needs a passphrase, it will read the passphrase from the 
> current terminal if it was run from a terminal. If ssh-add does not 
> have a terminal associated with it but DISPLAY and SSH_ASKPASS are 
> set, it will execute the program specified by SSH_ASKPASS and open an 
> X11 window to read the passphrase. This is particularly useful when 
> calling ssh-add from a .xsession or related script. (Note that on some 
> machines it may be necessary to redirect the input from /dev/null to 
> make this work.)

the man page mixes the request for the key password and the confirmation 
prompt, and it can be hard to notice, but ssh-agent is calling the X 
program defined by SSH_ASKPASS variable (defaulting to ssh-askpass). As 
you are using a virtual terminal, you don't have a X11 connection where 
you could be prompt, and thus the agent automatically rejects the signing.
(confirm_key → ask_permission → read_passphrase(, RP_USE_ASKPASS) 
[ssh-agent.c:202, readpass.c:180,144])

What you can do is to set SSH_ASKPASS to a cli program that requests the 
confirmation, also you will need to set DISPLAY to some dummy value, 
since $SSH_ASKPASS won't even be called if the DISPLAY variable is not set.

Another solution would be to change openssh to fall back to getpass(1) 
for ask_permission requests if $DISPLAY is not available, but given that 
the code explicitly checks that, the developers may have reasons for not 
doing that (the prompts would on the screen where the agent was 
originally launched, which -depending on what is running there now- can 
get messy, but that seems better than not allowing ssh-add -c at all).

Best regards