user key functionality fails about ssh-tpm-agent HOT 18 CLOSED

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to host.local [192.168.1.230] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_ecdsa.pub type 2
debug1: identity file /home/user/.ssh/id_ecdsa.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.1 pat OpenSSH compat 0x04000000
debug1: Authenticating to host.local:22 as 'user'
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: [email protected]
debug1: kex: server->client cipher: [email protected] MAC: compression: none
debug1: kex: client->server cipher: [email protected] MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host certificate: [email protected] SHA256:iGzYgFr/JRzCihim3zMWen3u0ojubmc/6hKXVLwNWik, serial 3256976221391840967 ID "host@domain" CA ecdsa-sha2-nistp256 a certificate...
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'host.local' is known and matches the ECDSA-CERT host certificate.
debug1: Found CA key in /home/user/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
debug1: kex_input_ext_info: [email protected]=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8
debug1: Server accepts key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8
Load key "/home/user/.ssh/id_ecdsa.pub": error in libcrypto
debug1: Next authentication method: password

from ssh-tpm-agent.

How are you running ssh-tpm-agent and what does the ssh config look like?

from ssh-tpm-agent.

For ssh-tpm agent, its socket-activated right now, but, both the activation socket and the service have been active the whole time I've been testing. plus, I also shut down the service and socket and ran ssh-tpm-agent in the foreground as well, making sure to rerun export SSH_AUTH_SOCK="$(ssh-tpm-agent --print-socket)" each time.
ssh config looks like this:

Include /etc/ssh/ssh_config.d/*.conf

Host *
    IdentityAgent /run/user/1000/ssh-tpm-agent.sock
    IdentityFile ~/.ssh/id_ecdsa.pub
    IdentitiesOnly yes
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,[email protected]
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    ```

from ssh-tpm-agent.

I've also just tested commented out the IdentityAgent, and correcting the IdentityAgent line to match "$(ssh-tpm-agent --print-socket)" but this has made no difference

from ssh-tpm-agent.

Can you run ssh-tpm-agent with -d and paste if there is any debug logs being printed?

from ssh-tpm-agent.

fwiw, It's uncertain to me how /etc/ssh/ssh_config/*.conf is being read versus .ssh/config. So try both?

from ssh-tpm-agent.

well i think both confs are read because that just causes it to fail twice:
OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to host.local [192.168.1.230] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_ecdsa.pub type 2
debug1: identity file /home/user/.ssh/id_ecdsa.pub-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa.pub type 2
debug1: identity file /home/user/.ssh/id_ecdsa.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.1 pat OpenSSH compat 0x04000000
debug1: Authenticating to host.local:22 as 'user'
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: [email protected]
debug1: kex: server->client cipher: [email protected] MAC: compression: none
debug1: kex: client->server cipher: [email protected] MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host certificate: [email protected] SHA256:iGzYgFr/JRzCihim3zMWen3u0ojubmc/6hKXVLwNWik, serial 3256976221391840967 ID "host@domain" CA ecdsa-sha2-nistp256 SHA256:LBSH9xW9n9/2J9nWgBmkqYH6O3x0PD+4xlMSBJTCUEc valid from 2023-06-20T05:01:31 to 2123-05-27T05:02:31
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'host.local' is known and matches the ECDSA-CERT host certificate.
debug1: Found CA key in /home/user/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: ssh_get_authentication_socket: Connection refused
debug1: Will attempt key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8 explicit
debug1: Will attempt key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
debug1: kex_input_ext_info: [email protected]=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8 explicit
debug1: Server accepts key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8 explicit
Load key "/home/user/.ssh/id_ecdsa.pub": error in libcrypto
debug1: Offering public key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8
debug1: Server accepts key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8
Load key "/home/user/.ssh/id_ecdsa.pub": error in libcrypto
debug1: Next authentication method: password

from ssh-tpm-agent.

output of ssh-tpm-agent -d

time=2023-12-10T14:07:26.973-05:00 level=INFO msg="Warning: ssh-tpm-agent is meant to run as a background daemon."
time=2023-12-10T14:07:26.973-05:00 level=INFO msg="Running multiple instances is likely to lead to conflicts."
time=2023-12-10T14:07:26.973-05:00 level=INFO msg="Consider using a systemd service."
time=2023-12-10T14:07:26.973-05:00 level=INFO msg="Listening on socket" path=/run/user/1000/keyring/ssh
time=2023-12-10T14:07:26.974-05:00 level=DEBUG msg="called loadkeys"
time=2023-12-10T14:07:26.974-05:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/user/.ssh/config
time=2023-12-10T14:07:26.974-05:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/user/.ssh/id_ecdsa.pub
time=2023-12-10T14:07:26.975-05:00 level=DEBUG msg="added TPM key" name=/home/user/.ssh/id_ecdsa.tpm
time=2023-12-10T14:07:26.975-05:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/user/.ssh/known_hosts
time=2023-12-10T14:07:26.975-05:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/user/.ssh/known_hosts.old

from ssh-tpm-agent.

Hmm, why does it say path=/run/user/1000/keyring/ssh? Which version are you running?

from ssh-tpm-agent.

v0.2.0 release
its always said that. but, it correctly reports it with ssh-tpm-agent --print-socket and the environment var says the same thing.

from ssh-tpm-agent.

Could you triple check that the socket is created at the correct location?

from ssh-tpm-agent.

well, there is a socket named ssh there, but in the parent directory, /run/user/1000/ there is a socket called ssh-tpm-agent.sock

from ssh-tpm-agent.

ok. its working! I have to manually ssh-tpm-agent -l /run/user/1000/ssh-tpm-agent.sock
and change the value in the config file to match it. definitely seems to be a bug though.

from ssh-tpm-agent.

I suspect you have SSH_AUTH_SOCK set somewhere which points /keyring/ssh. Is that correct?

from ssh-tpm-agent.

from my testing it appears that this is the path that ssh-tpm-agent selects when i do not pass it an -l parameter. SSH_AUTH_SOCK gets set this way BY doing
export SSH_AUTH_SOCK=$(ssh-tpm-agent --print-socket)
UNLESS I manually launch ssh-tm-agent in the foreground with the correct parameter.
As soon as I finish writing this comment I will modify the unit file with this correct parameter as well, but as of right now, if I let the socket launch the service, then the socket path becomes /run/user/1000/keyring/ssh automatically

from ssh-tpm-agent.

There is something else setting that as your SSH_AUTH_SOCK env variable, then.

from ssh-tpm-agent.

yeah, looking at the unit file, its not possible for the outcome i am observing. I will update this thread when I find out what it is.

from ssh-tpm-agent.

I suspect adding a debug log meesage where it clearly states where it got the socket from would probably make this easier to debug.

from ssh-tpm-agent.