Skip to main content

Ubuntu ssh agent admitted failure

Ubuntu 10.04 LTS has a serious bug in ssh/ssh-agent/something which causes it to fail to log in to a system even if you have your ssh identies set up. This caused me an hour of panic before I found a workaround. I'm putting it here in case somebody else has the same problem and google finds this for them. (tl;dr: use )

I swap between two laptops and a desktop regularly. I have a shared dotfiles git repository, so my normal settings are fine -- but that won't work for stuff like email passwords, or even email. My current setup is to use an sd card for personal stuff. (yes, my stuff is in an encrypted loop-back partition on that card; I'm not crazy!)

A few days ago (just after returning to Glasgow), I started having read errors on the card. This was particularly sucky because although I'd bought a new 16gb card while in Vancouver, I hadn't gotten around to carrying that new card, so I was using my old 8gb card. I was planning on doing it "soon", but I definitely started to kick myself for not getting it set up sooner.

That said, it was only about 24 hours since I'd made a backup of the sd card anyway, and there hadn't been any truly important emails in that time. (I know the story should go "... but I didn't mind, because I'm using my brother's tarsnap backup service", but it was actually about 3 days since I'd backed up in tarsnap)

Fortunately, when I put the card in a different laptop, it read it just fine. I copied stuff over, checked that things seemed ok, and then started using the new card regularly. Everything seemed fine for a day or two, when I discovered that I couldn't log in to various servers. At this point, I turned to tarsnap to get a backup of my ssh directory, thinking that I'd gotten some freaky bitrot in my private key but nowhere else. No joy.

But wait, it gets worse! Take a look at this:

gperciva@gperciva-desktop:~$ ssh -v
OpenSSH_5.3p1 Debian-3ubuntu7, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to [] port 22.
debug1: Offering public key: /home/gperciva/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 817
Agent admitted failure to sign using the key.

LOLwut? Server accepts key, agent admitted failure to sign in using the key?!

After a bit of stumbling around, I found a ssh bug report from 2008 in the ubuntu database. Apparently you can work around it by setting SSH_AUTH_SOCK=0. You can also do some weird stuff with something called "seahorse", but I think I'll just export the variable.