Comments (18)
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to host.local [192.168.1.230] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_ecdsa.pub type 2
debug1: identity file /home/user/.ssh/id_ecdsa.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.1 pat OpenSSH compat 0x04000000
debug1: Authenticating to host.local:22 as 'user'
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: [email protected]
debug1: kex: server->client cipher: [email protected] MAC: compression: none
debug1: kex: client->server cipher: [email protected] MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host certificate: [email protected] SHA256:iGzYgFr/JRzCihim3zMWen3u0ojubmc/6hKXVLwNWik, serial 3256976221391840967 ID "host@domain" CA ecdsa-sha2-nistp256 a certificate...
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'host.local' is known and matches the ECDSA-CERT host certificate.
debug1: Found CA key in /home/user/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
debug1: kex_input_ext_info: [email protected]=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8
debug1: Server accepts key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8
Load key "/home/user/.ssh/id_ecdsa.pub": error in libcrypto
debug1: Next authentication method: password
from ssh-tpm-agent.
How are you running ssh-tpm-agent
and what does the ssh config look like?
from ssh-tpm-agent.
For ssh-tpm agent, its socket-activated right now, but, both the activation socket and the service have been active the whole time I've been testing. plus, I also shut down the service and socket and ran ssh-tpm-agent in the foreground as well, making sure to rerun export SSH_AUTH_SOCK="$(ssh-tpm-agent --print-socket)"
each time.
ssh config looks like this:
Include /etc/ssh/ssh_config.d/*.conf
Host *
IdentityAgent /run/user/1000/ssh-tpm-agent.sock
IdentityFile ~/.ssh/id_ecdsa.pub
IdentitiesOnly yes
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected]
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
```
from ssh-tpm-agent.
I've also just tested commented out the IdentityAgent, and correcting the IdentityAgent line to match "$(ssh-tpm-agent --print-socket)" but this has made no difference
from ssh-tpm-agent.
Can you run ssh-tpm-agent
with -d
and paste if there is any debug logs being printed?
from ssh-tpm-agent.
fwiw, It's uncertain to me how /etc/ssh/ssh_config/*.conf
is being read versus .ssh/config
. So try both?
from ssh-tpm-agent.
well i think both confs are read because that just causes it to fail twice:
OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to host.local [192.168.1.230] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_ecdsa.pub type 2
debug1: identity file /home/user/.ssh/id_ecdsa.pub-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa.pub type 2
debug1: identity file /home/user/.ssh/id_ecdsa.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.1 pat OpenSSH compat 0x04000000
debug1: Authenticating to host.local:22 as 'user'
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: [email protected]
debug1: kex: server->client cipher: [email protected] MAC: compression: none
debug1: kex: client->server cipher: [email protected] MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host certificate: [email protected] SHA256:iGzYgFr/JRzCihim3zMWen3u0ojubmc/6hKXVLwNWik, serial 3256976221391840967 ID "host@domain" CA ecdsa-sha2-nistp256 SHA256:LBSH9xW9n9/2J9nWgBmkqYH6O3x0PD+4xlMSBJTCUEc valid from 2023-06-20T05:01:31 to 2123-05-27T05:02:31
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'host.local' is known and matches the ECDSA-CERT host certificate.
debug1: Found CA key in /home/user/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: ssh_get_authentication_socket: Connection refused
debug1: Will attempt key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8 explicit
debug1: Will attempt key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
debug1: kex_input_ext_info: [email protected]=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8 explicit
debug1: Server accepts key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8 explicit
Load key "/home/user/.ssh/id_ecdsa.pub": error in libcrypto
debug1: Offering public key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8
debug1: Server accepts key: /home/user/.ssh/id_ecdsa.pub ECDSA SHA256:knqCkI/B0kKcP+yut/cjZROmVFe1PzTdV2zNxjT8QY8
Load key "/home/user/.ssh/id_ecdsa.pub": error in libcrypto
debug1: Next authentication method: password
from ssh-tpm-agent.
output of ssh-tpm-agent -d
time=2023-12-10T14:07:26.973-05:00 level=INFO msg="Warning: ssh-tpm-agent is meant to run as a background daemon."
time=2023-12-10T14:07:26.973-05:00 level=INFO msg="Running multiple instances is likely to lead to conflicts."
time=2023-12-10T14:07:26.973-05:00 level=INFO msg="Consider using a systemd service."
time=2023-12-10T14:07:26.973-05:00 level=INFO msg="Listening on socket" path=/run/user/1000/keyring/ssh
time=2023-12-10T14:07:26.974-05:00 level=DEBUG msg="called loadkeys"
time=2023-12-10T14:07:26.974-05:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/user/.ssh/config
time=2023-12-10T14:07:26.974-05:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/user/.ssh/id_ecdsa.pub
time=2023-12-10T14:07:26.975-05:00 level=DEBUG msg="added TPM key" name=/home/user/.ssh/id_ecdsa.tpm
time=2023-12-10T14:07:26.975-05:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/user/.ssh/known_hosts
time=2023-12-10T14:07:26.975-05:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/user/.ssh/known_hosts.old
from ssh-tpm-agent.
Hmm, why does it say path=/run/user/1000/keyring/ssh
? Which version are you running?
from ssh-tpm-agent.
v0.2.0 release
its always said that. but, it correctly reports it with ssh-tpm-agent --print-socket
and the environment var says the same thing.
from ssh-tpm-agent.
Could you triple check that the socket is created at the correct location?
from ssh-tpm-agent.
well, there is a socket named ssh there, but in the parent directory, /run/user/1000/ there is a socket called ssh-tpm-agent.sock
from ssh-tpm-agent.
ok. its working! I have to manually ssh-tpm-agent -l /run/user/1000/ssh-tpm-agent.sock
and change the value in the config file to match it. definitely seems to be a bug though.
from ssh-tpm-agent.
I suspect you have SSH_AUTH_SOCK
set somewhere which points /keyring/ssh
. Is that correct?
from ssh-tpm-agent.
from my testing it appears that this is the path that ssh-tpm-agent selects when i do not pass it an -l parameter. SSH_AUTH_SOCK gets set this way BY doing
export SSH_AUTH_SOCK=$(ssh-tpm-agent --print-socket)
UNLESS I manually launch ssh-tm-agent in the foreground with the correct parameter.
As soon as I finish writing this comment I will modify the unit file with this correct parameter as well, but as of right now, if I let the socket launch the service, then the socket path becomes /run/user/1000/keyring/ssh automatically
from ssh-tpm-agent.
There is something else setting that as your SSH_AUTH_SOCK
env variable, then.
from ssh-tpm-agent.
yeah, looking at the unit file, its not possible for the outcome i am observing. I will update this thread when I find out what it is.
from ssh-tpm-agent.
I suspect adding a debug log meesage where it clearly states where it got the socket from would probably make this easier to debug.
from ssh-tpm-agent.
Related Issues (20)
- PCR binding support HOT 15
- Problem when proxying agent, breaks at one point HOT 2
- Don't add suffix if user added it already HOT 1
- Load key "/home/jc/.ssh/hh-8192_rsa.tpm": error in libcrypto HOT 3
- Integrity check failed
- Cannot import ecdsa-sha2-nistp384 HOT 5
- host key functionality fails HOT 5
- agent-forwarding does not work with certificates HOT 6
- ssh-tpm-add does not have -l functionality HOT 2
- Ed25519 key type support HOT 1
- ArchLinux package doesn't set the executable bit on install
- ssh-tpm-agent --print socket prints value of $SSH_AUTH_SOCK and not its own socket HOT 2
- Change PIN HOT 6
- 0.3.0: default key length not valid HOT 11
- 0.3.0: absolute paths are rewritten
- pinentry uses a non-descriptive name HOT 1
- Support SSH_ASKPASS
- [0.3.0-1] TPM key is in an old format. Will not load it. HOT 2
- Error when running `ssh-tpm-keygen`: `open /dev/tpmrm0: permission denied` HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ssh-tpm-agent.