lubuntu-qa team mailing list archive

Thread
Date

Re: ssh not allowing password login if keys are an option

To: Lars Noodén <lars.nooden@xxxxxxxxx>
From: Jonathan Marsden <jmarsden@xxxxxxxxxxx>
Date: Sat, 09 Mar 2013 22:26:40 -0800
Cc: Lubuntu QA <lubuntu-qa@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <513B5E24.101@gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2

Lars,

On 03/09/2013 08:07 AM, Lars Noodén wrote:

> It seems that the new setup with Lubuntu won't allow me to log in via
> SSH using a password if using a key is also an option.  If I connect to
> the server in LXTerminal
> 
>     ssh -l lars xx.yy.zz.aa
> 
> then a graphical dialog box pops up and wants me to enter the passphrase
> (I think) for the private key:  "Enter password to unlock private key"
> If I hit cancel, then ssh quits with this error:
> 
>     Received disconnect from xx.yy.zz.aa: 2: Too
>     many authentication failures for lars

I'm seeing this work as expected here.  I get the GUI dialog, but
pressing Escape (or clicking on the Cancel button if you feel a need to
use a mouse!) dismisses it, and provides a text mode password: prompt,
at which entering the password for the remote account works as it
should.  I get:

  Agent admitted failure to sign using the key.
  jonathan@192.168.168.168's password:

which seems to be the desired and expected result.

> The same dialog box pops up even after I've already used ssh-add to load
> the key into the agent.

These strange GUI asker things are a nuisance.  Please, GNOME, leave SSH
alone!

This is apparently caused by using gnome-keyring-daemon instead of the
real ssh-agent.

> Speaking of ssh-add, that seems broken, too.  If I enter "ssh-add -l" to
> see which key I've loaded, it seems to list all the keys I have in .ssh
> instead of what has been loaded into the agent.

Same cause.

> Is anyone else seeing these two behaviors?

Yes.  I am also seeing strangeness such as

  ssh-add -D

not really removing all identities from the list that

  ssh-add -l

outputs.  This is nuts.

WORKAROUND:

If you do:

  killall gnome-keyring-daemon
  unset GNOME_KEYRING_PID GNOME_KEYRING_CONTROL
  SSH_AUTH_SOCK=$(find /tmp/ssh-* -type s -name "agent.*" |head -1)

you will then (!) have much more normal SSH operation, with the ssh
client using your ssh-agent directly, and not via the
gnome-keyring-daemon that apparently breaks or confuses it.

I don't know quite what gnome-keyring-daemon is supposed to be doing,
but it needs to stay out of my way!  Why are we using it by default?

Jonathan

Follow ups

Re: ssh not allowing password login if keys are an option
From: Julien Lavergne, 2013-03-10

References

ssh not allowing password login if keys are an option
From: Lars Noodén, 2013-03-09