Package: openssh-client Version: 1:9.9p1-3 Severity: normal Hi,
since a few releases of openssh-client, the ssh-agent is started automatically via systemd --user. The unit in question is stored in /usr/lib/systemd/user/ssh-agent.service I am using a yubikey and want to give explicit confirmation for my key being used. I am therefore giving the -c option to ssh-add. This has stopped working since a while. This is a regression that makes it impossible to use an important security feature. mh@swivel:~ $ ssh-add -e /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so Card removed: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so mh@swivel:~ $ ssh-add -c -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so mh@swivel:~ $ ssh torres hostname sign_and_send_pubkey: signing failed for RSA "PIV AUTH pubkey" from agent: agent refused operation m...@torres.zugschlus.de: Permission denied (publickey). mh@swivel:~ $ I guess that the agent refuses operation since it cannot open the requester asking for confirmation if started from systemd. adding the same key without -c works: mh@swivel:~ $ ssh-add -e /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so Card removed: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so mh@swivel:~ $ ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so mh@swivel:~ $ ssh torres hostname torres mh@swivel:~ $ Starting a new ssh-agent manually works as well: mh@swivel:~ $ ssh-agent -s SSH_AUTH_SOCK=/tmp/ssh-IWV24n2D7lTk/agent.8332; export SSH_AUTH_SOCK; SSH_AGENT_PID=8333; export SSH_AGENT_PID; echo Agent pid 8333; mh@swivel:~ $ export SSH_AUTH_SOCK=/tmp/ssh-IWV24n2D7lTk/agent.8332 mh@swivel:~ $ ssh-add -e /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so Card removed: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so mh@swivel:~ $ ssh-add -c -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so mh@swivel:~ $ ssh torres hostname [confirmation requester coming up] torres [58/5056]mh@swivel:~ $ I guess that some environment variable or access right is missing to the ssh-agent that asks for confirmation. There should be a workaround to allow agent confirmation still being used. Greetings Marc -- System Information: Debian Release: trixie/sid APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.11-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-client depends on: ii adduser 3.137 ii libc6 2.40-6 ii libedit2 3.1-20250104-1 ii libfido2-1 1.15.0-1+b1 ii libgssapi-krb5-2 1.21.3-4 ii libselinux1 3.7-3.1 ii libssl3t64 3.4.0-2 ii passwd 1:4.17.0~rc1-1 ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1 Versions of packages openssh-client recommends: ii xauth 1:1.1.2-1.1 Versions of packages openssh-client suggests: pn keychain <none> ii ksshaskpass [ssh-askpass] 4:6.2.5-1 pn libpam-ssh <none> pn monkeysphere <none> ii ssh-askpass 1:1.2.4.1-16+b1 -- no debconf information
