Unable to use ssh-agent with confirmation, when logged in on a virtual terminal

Ángel González keisial at gmail.com
Wed Nov 5 06:45:41 EST 2014


Johannes Kastl wrote:
> On 03.11.2014 Johannes Kastl wrote:
>
>> I am trying to get ssh-add with the -c option to work. But I
>> always get this error:
>>> Agent admitted failure to sign using the key.
> Mark and Angel replied on and off the list, and both suggested that
> the SSH_ASKPASS variable is set wrong.
>
> I thought that these variables are for using *graphical* programs to
> ask for the passphrase. And on most of my machines, no X server is
> even installed. So I thought these variables are not necessary, and it
> does not matter it they are empty.
>
> As I replied to Angel, I would have thought that there is a fallback,
> but apparently this is not the case. Or it is not working.
There's no fallback.

> However, when I set SSH_ASKPASS to /usr/lib/ssh/ssh-askpass and the
> DISPLAY variable to 'foo', I still get the error.
/usr/lib/ssh/ssh-askpass is a graphical application, so it won't work
on the console.
Try using:

DISPLAY=foo SSH_ASKPASS=/bin/true ssh-agent bash
>  ssh-add -c /path/to/keyfile
>  ssh machine

This time it should work (works here). Using /bin/true means that it will always
answer "yes", but enough to show it is working. You should instead make a program
using getpass(2) or maybe a shell script that asks you.
The SSH_ASKPASS should print the text written on stdin, and return the user answer
on stdout (the agent will sign the key if it is "yes" or an empty string).



> I noticed that on the one machine with the graphical gui, I get the
> prompt via kwallet (KDE's password safe), but it is enough to click OK
> to allow this request. But I had to unlock my password safe first.
I think you are not using ssh-agent but Kwallet (it can also serve as 
ssh agent).

> And the SSH_ASKPASS variable is set to /usr/lib/ssh/ssh-askpass on
> this machine. So maybe this is really just a prompt for machines with
> a running X server...
That is currently how it works. But the above hack should solve it :)


@openssh devs: Is there a reason not to fall back to getpass(2) ?


Best regards



More information about the openssh-unix-dev mailing list