ksshaskpass accepts my passphrase, but ssh-add apparently doesn't run

theillien · March 27, 2013, 9:49pm

I just updated to 12.3 from 12.1.

With 12.1 I have ksshaskpass configured to request my passphrase. After I enter it the application functions as expected by passing my passphrase to every system I remotely log into.

This isn’t the case with 12.3, though. ksshaskpass requests my passphrase, I enter it and it appears to be accepted. However, each system I remotely log into still asks for my passphrase.

I found the thread at https://forums.opensuse.org/english/get-technical-help-here/applications/479626-ksshaskpass-ssh-agent-not-working.html which shed some light on the issue. That being that if I manually run ssh-add I am then able to remotely log into each server cleanly without needing to re-enter my passphrase.

The suggestion made by nrickert was less helpful. I added the entries to my .profile as was suggested, but this did not help. Specifically, my .profile seems to be getting overridden by the system variable which is set to /usr/lib/ssh/ssh-askpass instead of what I set (again, per the suggestion: /usr/lib/ssh/ksshaskpass). I suspect that is playing a big part in this.

ssh-agent is starting as per my .bash_profile:


SSH_ENV="$HOME/.ssh/environment"

function start_agent {
     echo "Initialising new SSH agent..."
     /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
     echo succeeded
     chmod 600 "${SSH_ENV}"
     . "${SSH_ENV}" > /dev/null
     /usr/bin/ssh-add;
}


# Source SSH settings, if applicable


if  -f "${SSH_ENV}" ]; then
     . "${SSH_ENV}" > /dev/null
     #ps ${SSH_AGENT_PID} doesn't work under cywgin
     ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
         start_agent;
     }
else
     start_agent;
fi

Can anyone shed any light on this issue for me? Is it a known problem with KDE 4.10? Is there a solution that I just haven’t been able to find?

nrickert · March 27, 2013, 10:13pm

Try something like:


SSH_ASKPASS=/usr/lib/ssh/ksshaskpass
export SSH_ASKPASS

in your “.bashrc”

theillien · March 28, 2013, 12:01am

Hello nrickert. I tried as you suggested and found that I am still prompted for my passphrase when I attempt to connect to another system. Only after I run ssh-add and enter my passphrase for that do I no longer have to do so on each remote server.

There appears to be a disconnect between ksshaskpass and ssh-add.

theillien · March 28, 2013, 12:46am

One thing I’ve found is that if I force ssh-add to start by using an Autostart script I am prompted for my passphrase by ksshaskpass a second time after my desktop has loaded (the first is after I’ve logged in and before my desktop loads; when my environment files are read). Doing this works. I enter my passphrase and I’m able to log into remote servers without being prompted for my passphrase.

The problem is, I am now required to enter my passphrase twice. First when I log in and again when the Autostart script is executed. The script code I added to my initial post runs from my .bash_profile. It executes ssh-add which is why I’m asked for my passphrase immediately after login and before my desktop loads. If I comment out the line that executes ssh-add I’m only asked once: after my desktop loads. Unfortunately, this doesn’t help. I’m still asked for my passphrase when logging into a remote server.

I feel I’m technically correct in that ssh-add is the culprit. However, it seems that the initial execution doesn’t cache my passphrase as it should rather than ksshaskpass having a disconnect from ssh-add as I initially thought. The second execution appears to be the trigger that caches my passphrase.

nrickert · March 28, 2013, 1:26am

I normally use “ssh-add” from a command line, once per login session. So I am not doing it the same way that you are.

However:

If I set
SSH_ASKPASS=/usr/lib/ssh/ksshaskpass
in my environment, and if I run “ssh-add” from a GUI (not sure if that is possible), or if I use


ssh-add keyname < /dev/null

in a terminal, then ksshaskpass prompts for the passphrase on the first attempt, then remembers that in kwallet. On future occasions ssh-add (with the input redirection) will get the answer from kwallet.

If I use ssh-add at the command line, and don’t do input redirection, I am prompted at the command line.

In any case, here is the biggest difference between what you are doing and what I am doing:

You are starting “ssh-agent” from your bash profile. I am not. Maybe see what happens without that.

For me, I see ssh-agent being automatically started, without my having to do anything. I think it is started as long as I have a “.ssh” directory.

What I think is happening for you, is that ssh-agent is being started twice and each of the ssh-agent processes is prompting for a key. Hence the double key.

I’m mostly guessing. You will have to experiment to check that.

theillien · March 28, 2013, 1:47am

What I’ve discovered since my last post:

using kwallet and setting the SSH_ASKPASS variable and running ssh-add both in the same Autostart file works. The problem I have with this is that I’m still entering two credentials.
setting the SSH_ASKPASS variable and running ssh-add both in the same Autostart file without kwallet also works. I am able to enter my passphrase once and not be required to enter it again. The only difference between this method and the method I used with 12.1 is that on 12.1 I was asked for my passphrase as soon as I logged in. This method asks for it after my desktop loads.

My Autostart file:


#!/bin/bash
export SSH_ASKPASS=/usr/lib/ssh/ksshaskpass
ssh-add </dev/null