Bug#869890: gnome-keyring breaks SSH logins

Christoph Anton Mitterer calestyo at scientia.net
Thu Jul 27 11:58:35 UTC 2017 

Package: gnome-keyring
Version: 3.20.1-1
Severity: important


Hi.

Seems gnome-keyring somehow breaks my SSH logins.

I have a number of different public keys in ~/.ssh/ and since I've
added another one, logins to all nodes that worked previously now
fail.

As soon as I unset SSH_AUTH_SOCK, which is set to
/run/user/1000/keyring/ssh, which in turn seems to be managed by
gnome-keyring (or isn't it?) everything works again.


ssh with debug info shows the problem:
$ ssh -v someHost
OpenSSH_7.5p1 Debian-5, OpenSSL 1.0.2l  25 May 2017
debug1: Reading configuration data /home/calestyo/.ssh/config
debug1: /home/calestyo/.ssh/config line 22: Applying options for someHost
debug1: /home/calestyo/.ssh/config line 145: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 6: Applying options for *
debug1: /etc/ssh/ssh_config line 7: Deprecated option "useroaming"
/etc/ssh/ssh_config line 141: Unsupported option "rsaauthentication"
debug1: Control socket "/home/calestyo/.ssh/channel-mux/foo_root at someHost:22" does not exist
debug1: Connecting to kronecker [2a01:snipsnap] port 22.
debug1: Connection established.
debug1: identity file /home/calestyo/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/calestyo/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/calestyo/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/calestyo/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/calestyo/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/calestyo/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5p1 Debian-5
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5p1 Debian-5
debug1: match: OpenSSH_7.5p1 Debian-5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to kronecker:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:snipsnap
debug1: Host 'kronecker' is known and matches the ED25519 host key.
debug1: Found key in /etc/ssh/ssh_known_hosts:18
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/calestyo/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: calestyo+VNC at snipsnap
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: calestyo at snipsnap
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: calestyo at snipsnap
Received disconnect from 2a01:snipsnap port 22:2: Too many authentication failures


It simply tries the wrong keys, not sure why it does that,
but ssh_config has a clearly defined order of which keys should
be tried an apparently with the gnome-keyring as agent, this somehow
doesn't work,... even worse, it presents keys which never
added to the agent (neither where I'd have looged in since system start).

When nothing special is specified in ssh_config, then the default
for IdentityFile, that is "~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa"
must be used.


btw: Even manually adding the key fails:
$ ssh-add .ssh/id_ed25519
Could not add identity ".ssh/id_ed25519": communication with agent failed


So seems something is pretty wrong with the agent.


Cheers,
Chris.



-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.11.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnome-keyring depends on:
ii  dbus-user-session [default-dbus-session-bus]  1.10.20-1
ii  dbus-x11 [dbus-session-bus]                   1.10.20-1
ii  dconf-gsettings-backend [gsettings-backend]   0.26.0-2+b1
ii  gcr                                           3.20.0-5.1
ii  libc6                                         2.24-12
ii  libcap-ng0                                    0.7.7-3+b1
ii  libcap2-bin                                   1:2.25-1
ii  libgck-1-0                                    3.20.0-5.1
ii  libgcr-base-3-1                               3.20.0-5.1
ii  libgcrypt20                                   1.7.8-2
ii  libglib2.0-0                                  2.52.3-1
ii  p11-kit                                       0.23.7-3
ii  pinentry-gnome3                               1.0.0-2

Versions of packages gnome-keyring recommends:
ii  libpam-gnome-keyring  3.20.1-1

gnome-keyring suggests no packages.

-- no debconf information

More information about the pkg-gnome-maintainers mailing list