How to have ssh remember IDs permanently; ssh-agent start at login?

opensuse-tumbleweed 20260113
linux v6.18.5-1-default x86_64
gnome 49 wayland
OpenSSH_10.2p1, OpenSSL 3.5.3 16 Sep 2025

I had long ago (years) set up ssh for passwordless login. Recently that has stopped working, probably with OpenSSH v10. ssh connects with the remote system and prompts for a password. I had thought that the problem was with the original outdated key pair (RSA) created by the remote system. I re-created the pair (EDG), did the ssh incantations. No change.

If I run these commands in a terminal:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/name_of_id_file

passwordless login proceeds. Only in that terminal for that id.

More annoying is that the ssh-add id does not permanently store the id.

Two questions:

1. How do I have an ssh-agent start at account/session login (not a terminal window)
2. How do I have the ssh ids saved permanently?

On the client:
ssh-keygen
(do not add any password)
and

ssh-copy-id -p port on server name@server

I also add a config file in .ssh User home-directory on the client:

Host                        your name for a shortcut (I would not use any special character)
Hostname                    IP or Hostname of the server
Port                        ssh port of the server
User                        Usernam on the server you want to ssh.

Now you can use
ssh your name for a shortcut (I would not use any special character

I was not clear. My cutesy bit “did the ssh incantations” did not convey that I had already done those steps. Everything is in place except that the IDs are not permanently recorded.

At this time ssh-agent must be manually started, and the IDs added with ssh-add id_key_name. After which passwordless login again works.

Note: I tried to add ssh-agent to the Startup Applications list. Gnome would not allow it.

With these steps I can passwordless login to my Server:

stephan@linux64:~> ssh-copy-id stephan@192.168.0.205
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/stephan/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
(stephan@192.168.0.205) Password: 

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'stephan@192.168.0.205'"
and check to make sure that only the key(s) you wanted were added.

stephan@linux64:~> ssh stephan@192.168.0.205
Last login: Sat Jan 17 21:57:01 CET 2026 from 192.168.0.2 on ssh
Have a lot of fun...
stephan@qemu-tumbleweed:~> 

For me, this seems to work automatically if I use Gnome (which you say you are using).

When I give the passphrase for the key, there is a box “Automatically unlock this key”. If I check that box, then it remembers the passphrase for next time. Perhaps this doesn’t work if your system is setup to login without a password.

I have also problems getting transparent ssh working for my current PC to a new PC I am planning to go over. Both are running Tumbleweed.

I have transparent ssh working at my work and based on that I know that an ssh-agent is not needed. What is needed is that the local and the remote machine agree on which public-private pair to use.

To debug I run typically run ssh -v and that gives:

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /home/marel/.ssh/id_rsa 
debug1: Will attempt key: /home/marel/.ssh/id_ecdsa ECDSA SHA256:oDACT63IBjjNkd339MbVEwylwzEwa7rtBdbHpd8NIks
debug1: Will attempt key: /home/marel/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/marel/.ssh/id_ed25519 
debug1: Trying private key: /home/marel/.ssh/id_rsa
debug1: Offering public key: /home/marel/.ssh/id_ecdsa ECDSA SHA256:oDACT63IBjjNkd339MbV4idlwzEwa7rtBdbHpd8NIks
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/marel/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/marel/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive

So the client side (without an agent) is trying some default private keys. On both systems I have /home/marel/.ssh/id_ecdsa and /home/marel/.ssh/id_ecdsa.pub and that private keys is offered but it is not successful.

I tried also ssh -vvv and that gives:

debug1: Offering public key: /home/emvee/.ssh/id_ecdsa ECDSA SHA256:oDACT63IBjjNkf539MbVEwylwzE4ibrtBdbHpd8NIks
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive

So it is the other side not accepting the key.

Instead of finding out how to stop sshd on the other side I did just run as root the ssh server on the other side on a different port:

# /usr/sbin/sshd -ddd -D -p 22222

That did not work out-of-the-box, after having a look at the client log I did do systemctl stop firewalld.service at the other side before re-running sshd and got a the server side:

debug2: input_userauth_request: try method publickey [preauth]
debug2: userauth_pubkey: valid user marel querying public key ecdsa-sha2-nistp521 AAAAE2VjZhLXNo...dJE2F== [preauth]
debug1: userauth_pubkey: publickey test pkalg ecdsa-sha2-nistp521 pkblob ECDSA SHA256:9MbVEwyl...wa7rtBdb [preauth]
debug3: mm_key_allowed: entering [preauth]
debug3: mm_request_send: entering, type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect: entering, type 23 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed: entering
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: publickey authentication test: ECDSA key is not allowed
Failed publickey for marel from 192.168.1.10 port 38736 ssh2: ECDSA SHA256:9MbVEwyl...wa7rtBdb

Just searching for “ECDSA key is not allowed” (with the quotes) gave me the hint I needed, authorized_keys.

Things work for me after:

> cat ~/.ssh/id_ecdsa.pub > ~/.ssh/authorized_keys
> chmod 600 ~/.ssh/authorized_keys

So I forgot about authorized_keys. Far from sure you have the same problem but just getting this output will give the info needed to solve almost all problems.

I tried adding the public key to authorized_keys. It made no difference.
I have the sense that something is missing or mis-configured in Gnome since all this worked for years.

This is the entry in .ssh/config for the remote site:

AddKeysToAgent yes
#
IdentityFile ~/.ssh/local_site_key
#
 host sohnen-moe.com
 Port 18765
 IdentityFile ~/.ssh/remote_site_key

 host *
 PreferredAuthentications publickey,password,keyboard-interactive
 IdentitiesOnly yes

I did get a debug (ssh -v) output for passwordless success and failure. The two outputs are identical up to a point; the first listing below is the same for the two outputs, followed by the different parts. Apparently ssh found an agent (that I had manually started) and keys (that I had manually added) for the successful passwordless login.

All this was very entertaining. And ultimately useless. To add a key requires a password. For the occasional remote login, it is not worth the effort. The effort is limited to a single terminal window and is erased when the window closes.

debug1: OpenSSH_10.2p1, OpenSSL 3.5.3 16 Sep 2025
debug1: Reading configuration data /home/jmoe/.ssh/config
debug1: /home/jmoe/.ssh/config line 8: Applying options for sohnen-moe.com
debug1: /home/jmoe/.ssh/config line 60: Applying options for *
debug1: Reading configuration data /usr/etc/ssh/ssh_config
debug1: /usr/etc/ssh/ssh_config line 30: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: Reading configuration data /usr/etc/ssh/ssh_config.d/50-suse.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: /usr/etc/ssh/ssh_config line 33: Applying options for *
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/jmoe/.ssh/config
debug1: /home/jmoe/.ssh/config line 8: Applying options for sohnen-moe.com
debug1: /home/jmoe/.ssh/config line 60: Applying options for *
debug1: Reading configuration data /usr/etc/ssh/ssh_config
debug1: /usr/etc/ssh/ssh_config line 30: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: Reading configuration data /usr/etc/ssh/ssh_config.d/50-suse.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: /usr/etc/ssh/ssh_config line 33: Applying options for *
debug1: Connecting to sohnen-moe.com [35.212.59.134] port 18765.
debug1: Connection established.
debug1: loaded pubkey from /home/jmoe/.ssh/sma-stn14l: ED25519 SHA256:2/Z3gXJL1t59asYS3fjdOgMAINxQlM1e4bn1+UwVM5A
debug1: identity file /home/jmoe/.ssh/sma-stn14l type 2
debug1: no identity pubkey loaded from /home/jmoe/.ssh/sma-stn14l
debug1: loaded pubkey from /home/jmoe/.ssh/siteground-sma: ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E
debug1: identity file /home/jmoe/.ssh/siteground-sma type 2
debug1: no identity pubkey loaded from /home/jmoe/.ssh/siteground-sma
debug1: Local version string SSH-2.0-OpenSSH_10.2
debug1: Remote protocol version 2.0, remote software version OpenSSH
debug1: compat_banner: match: OpenSSH pat OpenSSH* compat 0x04000000
debug1: Authenticating to sohnen-moe.com:18765 as 'u773-jn2jmispsyv8'
debug1: load_hostkeys: fopen /home/jmoe/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_GROUP received
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: SSH2_MSG_KEX_DH_GEX_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:i+KAcULq8yvDm4B9noJu/FGMLGBHTC5UJRf1yUJH+Jg
debug1: load_hostkeys: fopen /home/jmoe/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[sohnen-moe.com]:18765' is known and matches the ED25519 host key.
debug1: Found key in /home/jmoe/.ssh/known_hosts:39
debug1: ssh_packet_send2_wrapped: resetting send seqnr 4
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: Sending SSH2_MSG_EXT_INFO
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 4
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512>
debug1: kex_ext_info_check_ver: publickey-hostbound@openssh.com=<0>
debug1: kex_ext_info_check_ver: ping@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512>
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey

The successful passwordless login:

debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/jmoe/.ssh/siteground-sma ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E explicit agent
debug1: Will attempt key: /home/jmoe/.ssh/sma-stn14l ED25519 SHA256:2/Z3gXJL1t59asYS3fjdOgMAINxQlM1e4bn1+UwVM5A explicit
debug1: Offering public key: /home/jmoe/.ssh/siteground-sma ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E explicit agent
debug1: Server accepts key: /home/jmoe/.ssh/siteground-sma ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E explicit agent
Authenticated to sohnen-moe.com ([35.212.59.134]:18765) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /home/jmoe/.ssh/known_hosts for [sohnen-moe.com]:18765 / (none)
debug1: client_input_hostkeys: searching /home/jmoe/.ssh/known_hosts2 for [sohnen-moe.com]:18765 / (none)
debug1: client_input_hostkeys: hostkeys file /home/jmoe/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: Remote: /home/u773-jn2jmispsyv8/.ssh/authorized_keys:2 id='': key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/u773-jn2jmispsyv8/.ssh/authorized_keys:2 id='': key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
debug1: channel 0: setting env COLORTERM = "truecolor"
debug1: channel 0: setting env LANG = "en_US.UTF-8"
debug1: pledge: fork
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to sohnen-moe.com closed.
Transferred: sent 6940, received 8216 bytes, in 9.9 seconds
Bytes per second: sent 700.8, received 829.7
debug1: Exit status 0

At this point the session is logged into the remote system.

The password-required login:

debug1: Will attempt key: /home/jmoe/.ssh/sma-stn14l ED25519 SHA256:2/Z3gXJL1t59asYS3fjdOgMAINxQlM1e4bn1+UwVM5A explicit
debug1: Will attempt key: /home/jmoe/.ssh/siteground-sma ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E explicit
debug1: Offering public key: /home/jmoe/.ssh/sma-stn14l ED25519 SHA256:2/Z3gXJL1t59asYS3fjdOgMAINxQlM1e4bn1+UwVM5A explicit
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/jmoe/.ssh/siteground-sma ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E explicit
debug1: Server accepts key: /home/jmoe/.ssh/siteground-sma ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E explicit

At this point the session has a prompt requesting a password.

Did you do that on the server side and did you do a chmod 600 ~/.ssh/authorized_keys? Your successful password-less log shows that .ssh/authorized_keys:2 is used, that is good.

I have the sense that something is missing or mis-configured in Gnome since all this worked for years.

ssh has nothing to do with Gnome/KDE/XCFE etc.

This is the entry in .ssh/config for the remote site:

The remote site is the server, for connecting to the server .ssh/config is completely ignored, that is for ssh and not for sshd.

From your logs:

Good:

debug1: Offering public key: /home/jmoe/.ssh/siteground-sma ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E explicit agent
debug1: Server accepts key: /home/jmoe/.ssh/siteground-sma ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E explicit agent
Authenticated to sohnen-moe.com ([35.212.59.134]:18765) using "publickey".

Bad:

debug1: Will attempt key: /home/jmoe/.ssh/siteground-sma ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E explicit
debug1: Offering public key: /home/jmoe/.ssh/sma-stn14l ED25519 SHA256:2/Z3gXJL1t59asYS3fjdOgMAINxQlM1e4bn1+UwVM5A explicit
debug1: Authentications that can continue: publickey

So in the bad case the good siteground-sma key is attempted but not offered, what this means is that the client side somehow decided that is was not good. I see in the good case also the word agent, not sure what to make of that.

Can you run the bad case with -vvv and share the output around the siteground-sma key? That might give hints on what is wrong on the client side.

Business as usual at Mistelberger Home Cloud

On Host erlangenI temporarily switched PasswordAuthentication from no to yes:

notebook:~ # ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519): 
Enter passphrase for "/root/.ssh/id_ed25519" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_ed25519
Your public key has been saved in /root/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:QslMJ+R/D1XTp0l+S/GR25qg+AD4whmvt+Km9MXWX5c root@notebook
The key's randomart image is:
+--[ED25519 256]--+
|     .+ .     o..|
|     = +     ..=o|
|     .*     .o oB|
|    o...   .. +o+|
|   . =..S.o. ..+.|
|    +.ooo..o  oo |
|  .  o+ .o  o E  |
| . .+o.  ... .   |
|  .+oo..  .      |
+----[SHA256]-----+
notebook:~ # ssh-copy-id erlangen 
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@erlangen's password: 

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'erlangen'"
and check to make sure that only the key(s) you wanted were added.

notebook:~ # ssh erlangen 
erlangen:~ # 

Switched again PasswordAuthentication from yes to no:

notebook:~ # Abgemeldet
Connection to notebook closed.
erlangen:~ # cat /etc/ssh/sshd_config
PermitRootLogin yes
PasswordAuthentication no
X11Forwarding yes
ClientAliveInterval     300
ClientAliveCountMax     10
erlangen:~ # 

Query of how to clean up ~/.ssh shows:

Ah. I meant that is the entry in the local ~/.ssh/config that provides data for ssh to connect to the remote site.

Here is the current default response to adding a key:

$ ssh-add -i .ssh/siteground-sma
Could not open a connection to your authentication agent.

It is what started me on the quest for the missing agent.

I had thought I understood how ssh and Gnome interacted; I thought there was either ssh-agent or a compatible agent supplied by Gnome. I do not understand.

The only part that is obvious is the lack of an agent. There is no system service to start ssh-agent. Gnome does not allow it in its Startup Applications.

Can you run the bad case with -vvv and share the output around the siteground-sma key?

Here is the debug output from the point of connection.

debug1: Connection established.
debug1: loaded pubkey from /home/jmoe/.ssh/sma-stn14l: ED25519 SHA256:2/Z3gXJL1t59asYS3fjdOgMAINxQlM1e4bn1+UwVM5A
debug1: identity file /home/jmoe/.ssh/sma-stn14l type 2
debug1: no identity pubkey loaded from /home/jmoe/.ssh/sma-stn14l
debug1: loaded pubkey from /home/jmoe/.ssh/siteground-sma: ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E
debug1: identity file /home/jmoe/.ssh/siteground-sma type 2
debug1: no identity pubkey loaded from /home/jmoe/.ssh/siteground-sma
debug1: Local version string SSH-2.0-OpenSSH_10.2
debug1: Remote protocol version 2.0, remote software version OpenSSH
debug1: compat_banner: match: OpenSSH pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to sohnen-moe.com:18765 as 'u773-jn2jmispsyv8'
debug3: put_host_port: [sohnen-moe.com]:18765
debug3: record_hostkey: found key type ED25519 in file /home/jmoe/.ssh/known_hosts:39
debug3: record_hostkey: found key type RSA in file /home/jmoe/.ssh/known_hosts:40
debug3: load_hostkeys_file: loaded 2 keys from [sohnen-moe.com]:18765
debug1: load_hostkeys: fopen /home/jmoe/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: mlkem768x25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,ext-info-s,kex-strict-s-v00@openssh.com
debug2: host key algorithms: ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug3: send packet: type 34
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_DH_GEX_GROUP received
debug2: bits set: 4018/8192
debug3: send packet: type 32
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: receive packet: type 33
debug1: SSH2_MSG_KEX_DH_GEX_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:i+KAcULq8yvDm4B9noJu/FGMLGBHTC5UJRf1yUJH+Jg
debug3: put_host_port: [35.212.59.134]:18765
debug3: put_host_port: [sohnen-moe.com]:18765
debug3: record_hostkey: found key type ED25519 in file /home/jmoe/.ssh/known_hosts:39
debug3: record_hostkey: found key type RSA in file /home/jmoe/.ssh/known_hosts:40
debug3: load_hostkeys_file: loaded 2 keys from [sohnen-moe.com]:18765
debug1: load_hostkeys: fopen /home/jmoe/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[sohnen-moe.com]:18765' is known and matches the ED25519 host key.
debug1: Found key in /home/jmoe/.ssh/known_hosts:39
debug2: bits set: 4137/8192
debug3: send packet: type 21
debug1: ssh_packet_send2_wrapped: resetting send seqnr 4
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: Sending SSH2_MSG_EXT_INFO
debug3: send packet: type 7
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: ssh_packet_read_poll2: resetting read seqnr 4
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug2: KEX algorithms: mlkem768x25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug3: kex_input_ext_info: extension server-sig-algs
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512>
debug3: kex_input_ext_info: extension publickey-hostbound@openssh.com
debug1: kex_ext_info_check_ver: publickey-hostbound@openssh.com=<0>
debug3: kex_input_ext_info: extension ping@openssh.com
debug1: kex_ext_info_check_ver: ping@openssh.com=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug3: kex_input_ext_info: extension server-sig-algs
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,password,keyboard-interactive
debug3: authmethod_lookup publickey
debug3: remaining preferred: password,keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey

Note: this is where the two previous logs went their different ways.

debug1: Will attempt key: /home/jmoe/.ssh/sma-stn14l ED25519 SHA256:2/Z3gXJL1t59asYS3fjdOgMAINxQlM1e4bn1+UwVM5A explicit
debug1: Will attempt key: /home/jmoe/.ssh/siteground-sma ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E explicit
debug2: pubkey_prepare: done
debug1: Offering public key: /home/jmoe/.ssh/sma-stn14l ED25519 SHA256:2/Z3gXJL1t59asYS3fjdOgMAINxQlM1e4bn1+UwVM5A explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/jmoe/.ssh/siteground-sma ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/jmoe/.ssh/siteground-sma ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E explicit
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E

I also ran -vvv on the passwordless success. These 3 lines make all the difference.

debug1: Next authentication method: publickey

debug3: ssh_get_authentication_socket_path: path '/home/jmoe/.ssh/agent/s.QCeyyzcZiJ.agent.1nAyGuCGyu'
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 3 keys

Bonus data:

$ ll ~/.ssh/
drwx------ 1 jmoe users  348 Jan 17 12:56 agent/
-rw------- 1 jmoe users 1.4K Jan 18 17:05 authorized_keys
-rw------- 1 jmoe users 1.2K Oct  8 12:34 config
-rw------- 1 jmoe users  411 Oct 13 21:55 jmm-sma-stn14l
-rw-r--r-- 1 jmoe users  101 Oct 12  2024 jmm-sma-stn14l.pub
-rw------- 1 jmoe users  13K Dec  1 20:11 known_hosts
-rw------- 1 jmoe users  446 Nov 24 12:39 siteground-sma
-rw------- 1 jmoe users   81 Nov 24 12:40 siteground-sma.pub

I do not run an agent and everything is working for me after fixing authorized_keys.

The only benefit of ssh-agent is with private keys that have a password. The ssh-agent in this case makes that you have to type the password only once.

debug1: loaded pubkey from /home/jmoe/.ssh/siteground-sma: ED25519 SHA256:hPFG1NrRT31SgeJT0h+pHnzkyIMYJe1uw/qT3UTsW4E
debug1: identity file /home/jmoe/.ssh/siteground-sma type 2
debug1: no identity pubkey loaded from /home/jmoe/.ssh/siteground-sma

no identity pubkey loaded means there is no siteground-sma.pub file, would be good to add that.

For the remainder, this log does not show the debug1 output you showed earlier, “Will attempt key/Offering public key”, what changed?

The siteground-sma.pub file does indeed exist, as shown in the directory listing. The file is not listed in the successful log either, yet the public key is used.

For the remainder, this log does not show the debug1 output you showed earlier, “Will attempt key/Offering public key”, what changed?

I do not know.

I am on OSL 15.6 (not using wayland!), and do not have experience with ssh-agent. Having ‘said’ that, maybe the following (old!) link has a clue (probably need to open that with Firefox due to #:~:text=usessh):

https://www.novell.com/documentation/suse91/suselinux-adminguide/html/ch19s02.html#:~:text=usessh

Also, probably /etc/X11/xdm/scripts/11-ssh-agent and /etc/X11/xdm/scripts/09-ssh-vars are required. Those are on OSL 15.6 part of the xdm rpm package, also on OSL 16.0 and TW but in directory /usr/etc/X11/xdm/scripts/ .

Perhaps installing xdm is enough (and logout, restart display-manager, login), perhaps usessh has to be set as well.

Kind regards,

Leen

Sorry for the noise.

I had success per https://documentation.suse.com/sles/15-SP6/html/SLES-all/cha-ssh.html#sec-ssh-authentic-agent

I followed the instructions for creating and editing ~/.xinitrc.

I created a new ssh-key with password with ssh-keygen (accepted the defaults and entered password). Copied the key to another PC with ssh-copy-id. Verified that I could login via the ssh-key.

ssh-keygen
ssh-copy-id leen@10.0.0.3
ssh leen@10.0.0.3
# ssh-key password entered

Subsequently:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

This time I could login without an ssh-key password. After logout and login I got a dialog window prompting me to enter the password for the ssh-key.

If you do not have ~/.xinitrc.template then cp -a /usr/libexec/xinit/xinitrc ~/.xinitrc
(on TW; has to be executable).

Kind regards,

Leen

You could make it X independent by adding it to ~/.profile or create some small bash script in ~/bin and adding that in your DE to autostart.