I’ve recently updated my Manjaro system and I noticed a change in the behavior when ssh-ing to a remote machine.
I have a ssh-key protected by a password. When I connected to a remote machine, I was asked for a password in the terminal, something like this:
$ ssh machine
Enter passphrase for /home/user/.ssh/id_rsa:
Identity added: /home/user/.ssh/id_rsa
After the recent update:
$ ssh machine
sign_and_send_pubkey: signing failed for RSA "/home/user/.ssh/id_rsa" from agent: agent refused operation
user@10.1.1.1: Permission denied (publickey).
Also the following log is present in journalctl:
gcr-ssh-agent[14524]: couldn't prompt for password: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name is not activatable
gcr-ssh-agent[14524]: the /usr/bin/ssh-add command failed: Child process exited with code 1
If I install gnome-keyring (it used to work without it before) then I’m prompted for the password in a graphical prompt.
Also another workaround would be to call ssh-add before ssh-ing to the machine. ssh-add prompts for a password in the terminal, so then ssh can use the key OK.
What has changed and how to get the old behavior back?
Thanks for the info, I’ve seen the post before posting, but it seems that are two different situations.
The linked post is talking about gnome-keyring. I don’t have it installed, see my original post.
I’m able to connect if I install gnome-keyring (it used to work without it before): I’m prompted for the password in a graphical prompt.
You are right, it’s the same here. Yet it works like that so I carefully assume it’s ok like that. Maybe gcr internally uses the .ssh socket? I’m an old man with no clue so I just thank our upstream overlords that it works now and pray that they don’t take it away again
So my understanding: after the last update the gcr socket is active so the gcr-ssh-agent is started.
This sets the SSH_AUTH_SOCK environment variable and this will lead to using the gcr.
I did not use it before.
So to revert to my original behavior I disabled gcr: systemctl --global disable gcr-ssh-agent.socket
So just to try to understand it: ssh-agent by itself (started within a termin session for instance) needs gcr-ssh-agent.socket to be turned off because it blocks the same socket ssh-agent uses?
The solution via gcr has the advantage of working globally, also like in my case for commands started via a panel, but I totally agree that it should not block ssh-agent by default, which probably most people use.