Log in always fails the password-less mode:
sign_and_send_pubkey: signing failed: agent refused operation
Refused because the keys are not loaded.
The recommended procedure is to run “ssh-add”. DOES NOT WORK. Even if the credentials are added, they disappear when ssh-agent is terminated when logging off the terminal making the effort useless.
Is there a way to have ssh-agent load at boot time? Is this a sensible question?
I have searched for a solution. They have all recommended some variation of the above steps. Apparently I have found another way to fail.
An important aspect (I think): the server has never loaded a desktop since it has booted. Only remote ssh connections.
What is missing on the server side that prevents the operation?
Either you are confused or you need to explain what you are actually trying to do. For public key authentication no server side agent is ever needed. Agent on server may refuse to accept keys from client, but that is already after having logged in.
You need “ssh-agent” to be running on the client. But it is probably already running, started by your desktop startup.
On the server, you need “$HOME/.ssh/authorized_keys”. That’s the “$HOME” for the user you will login to. And that file should contain the public key ( the contents of “filename.pub”) for the key that you just created.
The recommended procedure is to run “ssh-add”. DOES NOT WORK. Even if the credentials are added, they disappear when ssh-agent is terminated when logging off the terminal making the effort useless.
Here, I’m not sure what you are doing. But it looks as if you are starting a new “ssh-agent” for each terminal session. And when that terminal session goes, you lose reference to the key that you added.
Normally, you want “ssh-agent” to be started at desktop startup. And then it will be shared by all child processes. So when you open a terminal, it will access “ssh-agent” that is already running.
Is there a way to have ssh-agent load at boot time? Is this a sensible question?
No, it isn’t a sensible question. You want it to be started at login rather than at boot. That’s because it is for a specific user.
In my experience, if using X11 then “ssh-agent” is started on login, provided that $HOME/.ssh already exists. If using Plasma5 over Wayland, then it is not started, but there is a configuration setting to start it. I think it is started with Gnome over Wayland, but I don’t use that much so my memory might be shaky.
Apparently I have found another way to fail.
It looks that way. But we will get you going.
An important aspect (I think): the server has never loaded a desktop since it has booted. Only remote ssh connections.
That should not matter, if I understand what you are doing.
The public/private key pair that you created is on the client, not on the server. So it is on the client that you need to have “ssh-agent” running. But you do need a copy of the public key (but not the private key) on the server. That’s what goes in the “.ssh/authorized_keys” file.
I hope that helps. Your post is a bit confusing, so I might have misunderstood some details.
I think it would help to stop referring to your server as such; it may be
a server of some sort, but the SSH agent is used on a client in an SH
client/server interaction, so make sure you are not confusing the two.
If you want to connect via SSH from an SSH client to an SSH server, and
you are doing what you are doing on the SSH client side, then that sounds
okay, but you are not yet running ssh-add to actually add a given key into
your agent (unless you omitted that step), and that is important. The
agent runs well enough, but until you give it keys, and enter passphrases
for them as necessary, so it can use them when requested, your subsequent
ssh client connections will have no keys to use.
You can also test with using the -i option to point directly to a private
key file when making the SSH connection, e.g.:
ssh -i ~/.ssh/id_rsa-newkey user@ssh-server.tld
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
You have not said what desktop you are using. For Gnome (and XFCE, perhaps MATE), the desktop actually use the Gnome “seahorse” application in place of ssh-agent. And with seahorse, “ssh-add” lists all of the keys that it knows about, even if you have not added a key. It prompts for a password as needed.
Okay, just checked. In KDE, when I use “ssh-add -D” it does remove the keys. And “ssh-add -l” shows no keys.
With Gnome, ssh-add -l shows several keys even before I use “ssh-add” to add keys. Specifically, it list keys that are in my “.ssh” directory. But they don’t actually work until I add that key.
So I must add them every time I log in locally? (Hmm. Something new for .bashrc?)
You have not said what desktop you are using.
Gnome
With Gnome, ssh-add -l shows several keys even before I use “ssh-add” to add keys. Specifically, it list keys that are in my “.ssh” directory. But they don’t actually work until I add that key.
The keys listed in the previous message do not exist in .ssh/. They may be leftovers from a previous attempt to get this to work. In any case there is no .ssh/jmoe@sma-station14l file for “ssh-add -d” to remove. Or they used by some other part of security.
Actually, no. You can let Gnome remember them. But this works best if you do not use auto-login. And the key needs to be one that is listed by “ssh-add -l”.
In that case, don’t use “ssh-add” to add the key. Just make the ssh connection. And a Gnome applet should prompt you for the key. And there is a box where you can tell it to remember. It will save in the Gnome keyring, and it will be available after login.
Whether that’s a wise security choice is your decision.
The keys listed in the previous message do not exist in .ssh/. They may be leftovers from a previous attempt to get this to work. In any case there is no .ssh/jmoe@sma-station14l file for “ssh-add -d” to remove. Or they used by some other part of security.
It might remember the names of keys that you have used previously. In any case, it probably won’t be “.ssh/jmoe@sma-station14l”. It will be “.ssh/somefile.pub” and if you list that file content you will see a “jmoe@sma-station14l” as a comment near the end of the line.
You must not. Nobody forces you to use SSH agent. You apparently misunderstand what “passwordless login” means in case of SSH. It does mean that you do not transmit your password to remote site. It does not mean that you never use passphrase to unlock your private key (assuming it is protected in the first place).
If you want to use agent - yes. SSH agent (or any other implementation that offers the same interface) is just run-time cache which allows you to avoid unlocking your key every time. You still need to unlock your key at least once when you are adding it to agent. And when SSH agent terminates, any cached decrypted key is gone (hopefully).
Keeping unlocked keys across agent restart obviously defeats the whole point of having them encrypted with passphrase. In this case you can just as well simply remove passphrase and spare the whole hassle.