[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1094997: regression: ssh-agent started via systemd does not allow key usage confirmation

Package: openssh-client
Version: 1:9.9p1-3
Severity: normal

Hi,

since a few releases of openssh-client, the ssh-agent is started
automatically via systemd --user. The unit in question is stored in
/usr/lib/systemd/user/ssh-agent.service

I am using a yubikey and want to give explicit confirmation for my key
being used. I am therefore giving the -c option to ssh-add. This has
stopped working since a while. This is a regression that makes it
impossible to use an important security feature.

mh@swivel:~ $ ssh-add -e /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Card removed: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
mh@swivel:~ $ ssh-add -c -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Card added: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
mh@swivel:~ $ ssh torres hostname
sign_and_send_pubkey: signing failed for RSA "PIV AUTH pubkey" from agent: agent refused operation
mh@torres.zugschlus.de: Permission denied (publickey).
mh@swivel:~ $ 

I guess that the agent refuses operation since it cannot open the
requester asking for confirmation if started from systemd. adding the
same key without -c works:

mh@swivel:~ $ ssh-add -e /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Card removed: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
mh@swivel:~ $ ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Card added: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
mh@swivel:~ $ ssh torres hostname
torres
mh@swivel:~ $

Starting a new ssh-agent manually works as well:

mh@swivel:~ $ ssh-agent -s
SSH_AUTH_SOCK=/tmp/ssh-IWV24n2D7lTk/agent.8332; export SSH_AUTH_SOCK;
SSH_AGENT_PID=8333; export SSH_AGENT_PID;
echo Agent pid 8333;
mh@swivel:~ $ export SSH_AUTH_SOCK=/tmp/ssh-IWV24n2D7lTk/agent.8332
mh@swivel:~ $ ssh-add -e /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Card removed: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
mh@swivel:~ $ ssh-add -c -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Card added: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
mh@swivel:~ $ ssh torres hostname
[confirmation requester coming up]
torres
[58/5056]mh@swivel:~ $

I guess that some environment variable or access right is missing to the
ssh-agent that asks for confirmation.

There should be a workaround to allow agent confirmation still being
used.

Greetings
Marc

-- System Information:
Debian Release: trixie/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.11-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.137
ii  libc6             2.40-6
ii  libedit2          3.1-20250104-1
ii  libfido2-1        1.15.0-1+b1
ii  libgssapi-krb5-2  1.21.3-4
ii  libselinux1       3.7-3.1
ii  libssl3t64        3.4.0-2
ii  passwd            1:4.17.0~rc1-1
ii  zlib1g            1:1.3.dfsg+really1.3.1-1+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.1.2-1.1

Versions of packages openssh-client suggests:
pn  keychain                   <none>
ii  ksshaskpass [ssh-askpass]  4:6.2.5-1
pn  libpam-ssh                 <none>
pn  monkeysphere               <none>
ii  ssh-askpass                1:1.2.4.1-16+b1

-- no debconf information
Reply to: