ssh-agent failure due to lack of support for SSH_AGENTC_EXTENSION?

[phlibi]

Hi everyone,

I'm having a hard time getting my SSH to work with keepercommander's ssh-agent. I've added keys and they are properly listed with ssh-add -l. Logging in even works when I first manually extract the public key part using ssh-add -L into a file and then use ssh -i serverkey.pub user@host, but when using it "normally", like with ssh user@host, the result is just:

$ ssh user@host
user@host: Permission denied (publickey).

The ssh-agent in this case only logs

SSH Agent has been unlocked

By adding a few (at least 2) -v switches to the SSH invocation, I see this:

debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation
debug1: get_agent_identities: agent returned 1 keys

I then added two prints near the beginning of _process_ssh_agent_request() to figure out what's going on:

        print(f'lock_passphrase={self._lock_passphrase}')
        print(f'command={command}')

Now the agent is slightly more talkative when trying to establish a connection:

lock_passphrase=None
command=27
SSH Agent has been unlocked
lock_passphrase=None
command=11

The offending line is command=27: There is just no branch and not even a definition for this type in the code:

SSH_AGENTC_REQUEST_IDENTITIES = 11
SSH_AGENTC_SIGN_REQUEST = 13
SSH_AGENTC_ADD_IDENTITY = 17
SSH_AGENTC_REMOVE_IDENTITY = 18
SSH_AGENTC_REMOVE_ALL_IDENTITIES = 19
SSH_AGENTC_LOCK = 22
SSH_AGENTC_UNLOCK = 23
SSH_AGENTC_ADD_ID_CONSTRAINED = 25

SSH_AGENT_FAILURE = 5
SSH_AGENT_SUCCESS = 6
SSH_AGENT_IDENTITIES_ANSWER = 12
SSH_AGENT_SIGN_RESPONSE = 14

SSH_AGENT_RSA_SHA2_256 = 2
SSH_AGENT_RSA_SHA2_512 = 4

SSH_AGENT_CONSTRAIN_LIFETIME = 1

According to an IETF document, type 27 is SSH_AGENTC_EXTENSION. This probably refers to the SSH agent restriction protocol extension. This is apparently just not supported yet by keepercommander's ssh-agent.

My ssh version:

$ ssh -V
OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023

Is it correct that the failure is due to this lack of support, or is it just me doing something wrong? In the former case, are there plans to add support for this protocol extension to ssh-agent any time soon? Is there maybe an option to tell SSH not to try this protocol extension and go without it?

Thanks!

[aaunario-keeper]

Hi,

Unless you're using SSH agent forwarding (it doesn't look like it based on your commands), support for that protocol extension shouldn't be an issue. The current implementation of Commander's SSH agent should at least allow you to connect to a remote host directly from the device running the agent/Commander.

Would you mind providing the output of the following command (feel free to redact sensitive info): ssh -vvv @.*** ?

On Mon, Jun 17, 2024 at 4:55 AM phlibi @.***> wrote:

Hi everyone,

I'm having a hard time getting my SSH to work with keepercommander's ssh-agent. I've added keys and they are properly listed with ssh-add -l. Logging in even works when I first manually extract the public key part using ssh-add -L into a file and then use ssh -i serverkey.pub @., but when using it "normally", like with ssh @., the result is just:

$ ssh @. @.: Permission denied (publickey).

The ssh-agent in this case only logs

SSH Agent has been unlocked

By adding a few (at least 2) -v switches to the SSH invocation, I see this:

debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation debug1: get_agent_identities: agent returned 1 keys

I then added two prints near the beginning of _process_ssh_agent_request() https://github.com/Keeper-Security/Commander/blob/8b7d262374850996e289072c2a09f8f975c82121/keepercommander/commands/ssh_agent.py#L404 to figure out what's going on:

    print(f'lock_passphrase={self._lock_passphrase}')
    print(f'command={command}')

Now the agent is slightly more talkative when trying to establish a connection:

lock_passphrase=None command=27 SSH Agent has been unlocked lock_passphrase=None command=11

The offending line is command=27: There is just no branch and not even a definition for this type in the code:

SSH_AGENTC_REQUEST_IDENTITIES = 11SSH_AGENTC_SIGN_REQUEST = 13SSH_AGENTC_ADD_IDENTITY = 17SSH_AGENTC_REMOVE_IDENTITY = 18SSH_AGENTC_REMOVE_ALL_IDENTITIES = 19SSH_AGENTC_LOCK = 22SSH_AGENTC_UNLOCK = 23SSH_AGENTC_ADD_ID_CONSTRAINED = 25 SSH_AGENT_FAILURE = 5SSH_AGENT_SUCCESS = 6SSH_AGENT_IDENTITIES_ANSWER = 12SSH_AGENT_SIGN_RESPONSE = 14 SSH_AGENT_RSA_SHA2_256 = 2SSH_AGENT_RSA_SHA2_512 = 4 SSH_AGENT_CONSTRAIN_LIFETIME = 1

According to an IETF document https://www.ietf.org/archive/id/draft-miller-ssh-agent-08.txt, type 27 is SSH_AGENTC_EXTENSION. This probably refers to the SSH agent restriction https://www.openssh.com/agent-restrict.html protocol extension. This is apparently just not supported yet by keepercommander's ssh-agent.

My ssh version:

$ ssh -V OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023

Is it correct that the failure is due to this lack of support, or is it just me doing something wrong? In the former case, are there plans to add support for this protocol extension to ssh-agent any time soon? Is there maybe an option to tell SSH not to try this protocol extension and go without it?

Thanks!

— Reply to this email directly, view it on GitHub https://github.com/Keeper-Security/Commander/issues/1251, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZDPG4IOSBQUUNBZRATUHGLZH2XB5AVCNFSM6AAAAABJNVI7ESVHI2DSMVQWIX3LMV43ASLTON2WKOZSGM2TMOJRG4ZTSNQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

--

Ayrris Aunario | Senior Software Engineer

Mobile 773.986.1194

This email is confidential and is intended for the recipient(s) addressed herein

[phlibi]

Hi,

thanks for your quick response. Indeed I'm not using port forwarding and since SSH clients should actually behave gracefully if the agent does not support a feature, it is probably another problem. FWIW, I still added an output also of the whole request variable and the client apparently requests session binding:

request=b'\x1b\x00\x00\x00\x18session-bind@openssh.com\x00\x00...

Here is the log of an unsuccessful attempt:

$ ssh -vvv remoteuser@10.11.12.13
OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 10.11.12.13 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/user/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/user/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.11.12.13 [10.11.12.13] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 0
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/user/.ssh/id_xmss type -1
debug1: identity file /home/user/.ssh/id_xmss-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.6p1 Ubuntu-3ubuntu13
debug1: compat_banner: match: OpenSSH_9.6p1 Ubuntu-3ubuntu13 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.11.12.13:22 as 'remoteuser'
debug3: record_hostkey: found key type ED25519 in file /home/user/.ssh/known_hosts:230
debug3: load_hostkeys_file: loaded 1 keys from 10.11.12.13
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-s,kex-strict-s-v00@openssh.com
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:x0uTBYmxxxxxxxxxxxxxxxxN9EqdGVTW3gI
debug3: record_hostkey: found key type ED25519 in file /home/user/.ssh/known_hosts:230
debug3: load_hostkeys_file: loaded 1 keys from 10.11.12.13
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '10.11.12.13' is known and matches the ED25519 host key.
debug1: Found key in /home/user/.ssh/known_hosts:230
debug3: send packet: type 21
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug3: ssh_get_authentication_socket_path: path '/home/user/.keeper/keeper.user@remoteuser.ch.ssh_agent'
debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/user/.ssh/id_rsa RSA SHA256:K54mb8bxxxxxxxxxxxxxxxxxxxxxUUewW2Q
debug1: Will attempt key: /home/user/.ssh/id_ecdsa 
debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/user/.ssh/id_ed25519 
debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/user/.ssh/id_xmss 
debug1: Will attempt key: /home/user/.ssh/id_dsa 
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug1: kex_input_ext_info: ping@openssh.com (unrecognised)
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:K54mb8bxxxxxxxxxxxxxxxxxxxNcGf3UUewW2Q
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/user/.ssh/id_ecdsa
debug3: no such identity: /home/user/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ecdsa_sk
debug3: no such identity: /home/user/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ed25519
debug3: no such identity: /home/user/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ed25519_sk
debug3: no such identity: /home/user/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_xmss
debug3: no such identity: /home/user/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_dsa
debug3: no such identity: /home/user/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
remoteuser@10.11.12.13: Permission denied (publickey).

And this is what happens if I first manually extract the stored public key of the host from the agent and then direct ssh to use this, making the connection successful:

$ ssh-add -L > /tmp/remotehost.pub
$ cat /tmp/remotehost.pub 
ssh-ed25519 AAAAC3NzaC1lZxxxxxxxxxxxxxxxxxxxxxxxxxxxxEc5ZXhIUt remote-host-name
$ ssh -vvv -i /tmp/remotehost.pub remoteuser@10.11.12.13
OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 10.11.12.13 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/user/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/user/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.11.12.13 [10.11.12.13] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /tmp/remotehost.pub type 3
debug1: identity file /tmp/remotehost.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.6p1 Ubuntu-3ubuntu13
debug1: compat_banner: match: OpenSSH_9.6p1 Ubuntu-3ubuntu13 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.11.12.13:22 as 'remoteuser'
debug3: record_hostkey: found key type ED25519 in file /home/user/.ssh/known_hosts:230
debug3: load_hostkeys_file: loaded 1 keys from 10.11.12.13
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-s,kex-strict-s-v00@openssh.com
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:x0uTBYmdWxxxxxxxxxxxxxxN9EqdGVTW3gI
debug3: record_hostkey: found key type ED25519 in file /home/user/.ssh/known_hosts:230
debug3: load_hostkeys_file: loaded 1 keys from 10.11.12.13
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '10.11.12.13' is known and matches the ED25519 host key.
debug1: Found key in /home/user/.ssh/known_hosts:230
debug3: send packet: type 21
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug3: ssh_get_authentication_socket_path: path '/home/user/.keeper/keeper.user@remoteuser.ch.ssh_agent'
debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /tmp/remotehost.pub ED25519 SHA256:m5vATPExxxxxxxxxxxxxxxxxxxqVkxTJl59No explicit agent
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug1: kex_input_ext_info: ping@openssh.com (unrecognised)
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /tmp/remotehost.pub ED25519 SHA256:m5vATPEUe7xxxxxxxxxxxxxxxxxxqVkxTJl59No explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /tmp/remotehost.pub ED25519 SHA256:m5vATPEUe7xxxxxxxxxxxxxxxxxxdyXqVkxTJl59No explicit agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with ED25519 SHA256:m5vATPEUe7xxxxxxxxxxxxxxxxxxxxXqVkxTJl59No
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:m5vATPEUexxxxxxxxxxxxxxxxxxbdyXqVkxTJl59No
debug3: send packet: type 50
debug3: receive packet: type 52
Authenticated to 10.11.12.13 ([10.11.12.13]:22) using "publickey".
debug2: fd 6 setting O_NONBLOCK
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: filesystem
debug3: client_repledge: enter
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: client_input_hostkeys: received RSA key SHA256:wUHHrtUzRxxxxxxxxxxxxxxxxxxxxxB5qLMSDWNo
debug3: client_input_hostkeys: received ECDSA key SHA256:W4SXK3/dxxxxxxxxxxxxxxxxxxxxxxx6fueTXUNQ
debug3: client_input_hostkeys: received ED25519 key SHA256:x0uTBYxxxxxxxxxxxxxxxxxxx6N9EqdGVTW3gI
debug1: client_input_hostkeys: searching /home/user/.ssh/known_hosts for 10.11.12.13 / (none)
debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
debug3: hostkeys_find: found ssh-ed25519 key under different name/addr at /home/user/.ssh/known_hosts:179
debug3: hostkeys_find: found ssh-ed25519 key at /home/user/.ssh/known_hosts:230
debug3: hostkeys_find: found ssh-ed25519 key under different name/addr at /home/user/.ssh/known_hosts:533
debug1: client_input_hostkeys: searching /home/user/.ssh/known_hosts2 for 10.11.12.13 / (none)
debug1: client_input_hostkeys: hostkeys file /home/user/.ssh/known_hosts2 does not exist
debug3: client_input_hostkeys: 3 server keys: 2 new, 18446744073709551615 retained, 2 incomplete match. 0 to remove
debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update
debug3: client_repledge: enter
debug3: receive packet: type 4
debug1: Remote: /home/remoteuser/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /home/remoteuser/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env SHELL
debug3: Ignored env SESSION_MANAGER
debug3: Ignored env WINDOWID
debug3: Ignored env QT_ACCESSIBILITY
debug3: Ignored env QT_SCREEN_SCALE_FACTORS
debug3: Ignored env COLORTERM
debug3: Ignored env PYENV_SHELL
debug3: Ignored env XDG_CONFIG_DIRS
debug3: Ignored env XDG_SESSION_PATH
debug3: Ignored env LANGUAGE
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env SHELL_SESSION_ID
debug3: Ignored env MEMORY_PRESSURE_WRITE
debug3: Ignored env DESKTOP_SESSION
debug1: channel 0: setting env LC_MONETARY = "de_CH.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env SSH_AGENT_PID
debug3: Ignored env GTK_RC_FILES
debug3: Ignored env XCURSOR_SIZE
debug3: Ignored env XDG_SEAT
debug3: Ignored env PWD
debug3: Ignored env XDG_SESSION_DESKTOP
debug3: Ignored env LOGNAME
debug3: Ignored env XDG_SESSION_TYPE
debug3: Ignored env GPG_AGENT_INFO
debug3: Ignored env SYSTEMD_EXEC_PID
debug3: Ignored env XAUTHORITY
debug3: Ignored env GTK2_RC_FILES
debug3: Ignored env HOME
debug1: channel 0: setting env LANG = "en_US.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env LS_COLORS
debug3: Ignored env XDG_CURRENT_DESKTOP
debug3: Ignored env KONSOLE_DBUS_SERVICE
debug3: Ignored env MEMORY_PRESSURE_WATCH
debug3: Ignored env KONSOLE_DBUS_SESSION
debug3: Ignored env PROFILEHOME
debug3: Ignored env XDG_SEAT_PATH
debug3: Ignored env QTWEBENGINE_DICTIONARIES_PATH
debug3: Ignored env INVOCATION_ID
debug3: Ignored env KONSOLE_VERSION
debug3: Ignored env MANAGERPID
debug3: Ignored env KDE_SESSION_UID
debug3: Ignored env LESSCLOSE
debug3: Ignored env XDG_SESSION_CLASS
debug3: Ignored env TERM
debug3: Ignored env LESSOPEN
debug3: Ignored env USER
debug3: Ignored env SSH_ASKPASS_REQUIRE
debug3: Ignored env COLORFGBG
debug3: Ignored env KDE_SESSION_VERSION
debug3: Ignored env PAM_KWALLET5_LOGIN
debug3: Ignored env DISPLAY
debug3: Ignored env SHLVL
debug1: channel 0: setting env LC_MEASUREMENT = "de_CH.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env XDG_VTNR
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env PYENV_ROOT
debug1: channel 0: setting env LC_TIME = "de_CH.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env QT_AUTO_SCREEN_SCALE_FACTOR
debug3: Ignored env JOURNAL_STREAM
debug3: Ignored env XCURSOR_THEME
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env KDE_FULL_SESSION
debug3: Ignored env PATH
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env KDE_APPLICATIONS_AS_SCOPE
debug1: channel 0: setting env LC_NUMERIC = "de_CH.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug3: client_repledge: enter
debug1: pledge: fork
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: chan_shutdown_write: channel 0: (i0 o1 sock -1 wfd 5 efd 6 [write])
debug2: channel 0: output drain -> closed
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: chan_shutdown_read: channel 0: (i0 o3 sock -1 wfd 4 efd 6 [write])
debug2: channel 0: input open -> closed
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 [session] r0 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock -1 cc -1 io 0x00/0x00)

debug3: send packet: type 1
Connection to 10.11.12.13 closed.
Transferred: sent 4048, received 4616 bytes, in 2.4 seconds
Bytes per second: sent 1663.2, received 1896.5
debug1: Exit status 0

For some reason, SSH refuses to go on with the public key that it got from the agent:

$ diff -u /tmp/ssh_unsuccessful.log /tmp/ssh_successful.log 
--- /tmp/ssh_unsuccessful.log   2024-06-18 07:39:00.999950384 +0200
+++ /tmp/ssh_successful.log     2024-06-18 07:38:19.950819117 +0200
...
@@ -96,13 +84,7 @@
 debug3: ssh_get_authentication_socket_path: path '/home/user/.keeper/keeper.user@remoteuser.ch.ssh_agent'
 debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation
 debug1: get_agent_identities: agent returned 1 keys
-debug1: Will attempt key: /home/user/.ssh/id_rsa RSA SHA256:K54mb8bxxxxxxxxxxxxxxxxxxxxxxUUewW2Q
-debug1: Will attempt key: /home/user/.ssh/id_ecdsa 
-debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk 
-debug1: Will attempt key: /home/user/.ssh/id_ed25519 
-debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk 
-debug1: Will attempt key: /home/user/.ssh/id_xmss 
-debug1: Will attempt key: /home/user/.ssh/id_dsa 
+debug1: Will attempt key: /tmp/remotehost.pub ED25519 SHA256:m5vATPxxxxxxxxxxxxxxxxxxxxxxxxVkxTJl59No explicit agent
 debug2: pubkey_prepare: done
 debug3: send packet: type 5
 debug3: receive packet: type 7
...

Is there any specific format required for the public key in the "SSH Key" record? I tried with and without comment and even with the host's public key (after all, there should be a way to tell the agent which key it should use for logging in, as testing all of them may cause trouble), but to no avail. The behavior is always the same.

[aaunario-keeper]

It looks like the key being returned by the agent is not being used by your SSH client to authenticate with the server, which leads me to believe that you likely have a setting in your SSH config file (~/.ssh/config) that's blocking it. Specifically, I suspect that you might have the IdentitiesOnly option set to yes in your configuration for that host. If you have something like the following:

Host remotehost

    HostName remotehost

    User admin

    Port 2222

    IdentitiesOnly yes

I would comment out the last line or set it to no explicitly

On Tue, Jun 18, 2024 at 6:11 AM phlibi @.***> wrote:

Hi,

thanks for your quick response. Indeed I'm not using port forwarding and since SSH clients should actually behave gracefully if the agent does not support a feature, it is probably another problem. FWIW, I still added an output also of the whole request variable and the client apparently requests session binding:

@.***\x00\x00...

Here is the log of an unsuccessful attempt:

$ ssh -vvv @. OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023 debug1: Reading configuration data /home/user/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for debug2: resolve_canonicalize: hostname 10.11.12.13 is address debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/user/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/user/.ssh/known_hosts2' debug3: ssh_connect_direct: entering debug1: Connecting to 10.11.12.13 [10.11.12.13] port 22. debug3: set_sock_tos: set socket 3 IP_TOS 0x10 debug1: Connection established. debug1: identity file /home/user/.ssh/id_rsa type 0 debug1: identity file /home/user/.ssh/id_rsa-cert type -1 debug1: identity file /home/user/.ssh/id_ecdsa type -1 debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/user/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/user/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/user/.ssh/id_ed25519 type -1 debug1: identity file /home/user/.ssh/id_ed25519-cert type -1 debug1: identity file /home/user/.ssh/id_ed25519_sk type -1 debug1: identity file /home/user/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/user/.ssh/id_xmss type -1 debug1: identity file /home/user/.ssh/id_xmss-cert type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: identity file /home/user/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2 debug1: Remote protocol version 2.0, remote software version OpenSSH_9.6p1 Ubuntu-3ubuntu13 debug1: compat_banner: match: OpenSSH_9.6p1 Ubuntu-3ubuntu13 pat OpenSSH compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 10.11.12.13:22 as 'remoteuser' debug3: record_hostkey: found key type ED25519 in file /home/user/.ssh/known_hosts:230 debug3: load_hostkeys_file: loaded 1 keys from 10.11.12.13 debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug3: order_hostkeyalgs: have matching best-preference key type **@., using HostkeyAlgorithms verbatim debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: @*.**@*.**@. debug2: host key algorithms: @.**@*.**@*.**@*.**@*.**@*.**@*.**@*.**@*.**@.,rsa-sha2-512,rsa-sha2-256 debug2: ciphers ctos: @.**@*.**@*. debug2: ciphers stoc: @*.**@*.**@. debug2: MACs ctos: @.**@*.**@*.**@*.**@*.**@*.**@*.,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: @*.**@*.**@*.**@*.**@*.**@*.**@.,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: @.,zlib debug2: compression stoc: @.,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: @.**@*.**@*. debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: @*.**@*.**@. debug2: ciphers stoc: @.**@*.**@*. debug2: MACs ctos: @*.**@*.**@*.**@*.**@*.**@*.**@.,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: @.**@*.**@*.**@*.**@*.**@*.**@*.,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: @. debug2: compression stoc: @. debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug3: kex_choose_conf: will use strict KEX ordering debug1: kex: algorithm: @. debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: @. MAC: compression: none debug1: kex: client->server cipher: @. MAC: compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:x0uTBYmxxxxxxxxxxxxxxxxN9EqdGVTW3gI debug3: record_hostkey: found key type ED25519 in file /home/user/.ssh/known_hosts:230 debug3: load_hostkeys_file: loaded 1 keys from 10.11.12.13 debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host '10.11.12.13' is known and matches the ED25519 host key. debug1: Found key in /home/user/.ssh/known_hosts:230 debug3: send packet: type 21 debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 debug2: ssh_set_newkeys: mode 1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: ssh_packet_read_poll2: resetting read seqnr 3 debug1: SSH2_MSG_NEWKEYS received debug2: ssh_set_newkeys: mode 0 debug1: rekey in after 134217728 blocks debug3: ssh_get_authentication_socket_path: path @._agent' debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation debug1: get_agent_identities: agent returned 1 keys debug1: Will attempt key: /home/user/.ssh/id_rsa RSA SHA256:K54mb8bxxxxxxxxxxxxxxxxxxxxxUUewW2Q debug1: Will attempt key: /home/user/.ssh/id_ecdsa debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/user/.ssh/id_ed25519 debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk debug1: Will attempt key: /home/user/.ssh/id_xmss debug1: Will attempt key: /home/user/.ssh/id_dsa debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: @*.**@*.,rsa-sha2-512,rsa-sha2-256> debug1: kex_input_ext_info: @.=<0> debug1: kex_input_ext_info: @. (unrecognised) debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:K54mb8bxxxxxxxxxxxxxxxxxxxNcGf3UUewW2Q debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug1: Trying private key: /home/user/.ssh/id_ecdsa debug3: no such identity: /home/user/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /home/user/.ssh/id_ecdsa_sk debug3: no such identity: /home/user/.ssh/id_ecdsa_sk: No such file or directory debug1: Trying private key: /home/user/.ssh/id_ed25519 debug3: no such identity: /home/user/.ssh/id_ed25519: No such file or directory debug1: Trying private key: /home/user/.ssh/id_ed25519_sk debug3: no such identity: /home/user/.ssh/id_ed25519_sk: No such file or directory debug1: Trying private key: /home/user/.ssh/id_xmss debug3: no such identity: /home/user/.ssh/id_xmss: No such file or directory debug1: Trying private key: /home/user/.ssh/id_dsa debug3: no such identity: /home/user/.ssh/id_dsa: No such file or directory debug2: we did not send a packet, disable method debug1: No more authentication methods to @.: Permission denied (publickey).

And this is what happens if I first manually extract the stored public key of the host from the agent and then direct ssh to use this, making the connection successful:

$ ssh-add -L > /tmp/remotehost.pub $ cat /tmp/remotehost.pub ssh-ed25519 AAAAC3NzaC1lZxxxxxxxxxxxxxxxxxxxxxxxxxxxxEc5ZXhIUt remote-host-name $ ssh -vvv -i /tmp/remotehost.pub @. OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023 debug1: Reading configuration data /home/user/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for debug2: resolve_canonicalize: hostname 10.11.12.13 is address debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/user/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/user/.ssh/known_hosts2' debug3: ssh_connect_direct: entering debug1: Connecting to 10.11.12.13 [10.11.12.13] port 22. debug3: set_sock_tos: set socket 3 IP_TOS 0x10 debug1: Connection established. debug1: identity file /tmp/remotehost.pub type 3 debug1: identity file /tmp/remotehost.pub-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2 debug1: Remote protocol version 2.0, remote software version OpenSSH_9.6p1 Ubuntu-3ubuntu13 debug1: compat_banner: match: OpenSSH_9.6p1 Ubuntu-3ubuntu13 pat OpenSSH compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 10.11.12.13:22 as 'remoteuser' debug3: record_hostkey: found key type ED25519 in file /home/user/.ssh/known_hosts:230 debug3: load_hostkeys_file: loaded 1 keys from 10.11.12.13 debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug3: order_hostkeyalgs: have matching best-preference key type **@., using HostkeyAlgorithms verbatim debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: @*.**@*.**@. debug2: host key algorithms: @.**@*.**@*.**@*.**@*.**@*.**@*.**@*.**@*.**@.,rsa-sha2-512,rsa-sha2-256 debug2: ciphers ctos: @.**@*.**@*. debug2: ciphers stoc: @*.**@*.**@. debug2: MACs ctos: @.**@*.**@*.**@*.**@*.**@*.**@*.,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: @*.**@*.**@*.**@*.**@*.**@*.**@.,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: @.,zlib debug2: compression stoc: @.,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: @.**@*.**@*. debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: @*.**@*.**@. debug2: ciphers stoc: @.**@*.**@*. debug2: MACs ctos: @*.**@*.**@*.**@*.**@*.**@*.**@.,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: @.**@*.**@*.**@*.**@*.**@*.**@*.,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: @. debug2: compression stoc: @. debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug3: kex_choose_conf: will use strict KEX ordering debug1: kex: algorithm: @. debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: @. MAC: compression: none debug1: kex: client->server cipher: @. MAC: compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:x0uTBYmdWxxxxxxxxxxxxxxN9EqdGVTW3gI debug3: record_hostkey: found key type ED25519 in file /home/user/.ssh/known_hosts:230 debug3: load_hostkeys_file: loaded 1 keys from 10.11.12.13 debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host '10.11.12.13' is known and matches the ED25519 host key. debug1: Found key in /home/user/.ssh/known_hosts:230 debug3: send packet: type 21 debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 debug2: ssh_set_newkeys: mode 1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: ssh_packet_read_poll2: resetting read seqnr 3 debug1: SSH2_MSG_NEWKEYS received debug2: ssh_set_newkeys: mode 0 debug1: rekey in after 134217728 blocks debug3: ssh_get_authentication_socket_path: path @._agent' debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation debug1: get_agent_identities: agent returned 1 keys debug1: Will attempt key: /tmp/remotehost.pub ED25519 SHA256:m5vATPExxxxxxxxxxxxxxxxxxxqVkxTJl59No explicit agent debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: @*.**@*.,rsa-sha2-512,rsa-sha2-256> debug1: kex_input_ext_info: @.=<0> debug1: kex_input_ext_info: @. (unrecognised) debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /tmp/remotehost.pub ED25519 SHA256:m5vATPEUe7xxxxxxxxxxxxxxxxxxqVkxTJl59No explicit agent debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: /tmp/remotehost.pub ED25519 SHA256:m5vATPEUe7xxxxxxxxxxxxxxxxxxdyXqVkxTJl59No explicit agent debug3: sign_and_send_pubkey: using @. with ED25519 SHA256:m5vATPEUe7xxxxxxxxxxxxxxxxxxxxXqVkxTJl59No debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:m5vATPEUexxxxxxxxxxxxxxxxxxbdyXqVkxTJl59No debug3: send packet: type 50 debug3: receive packet: type 52 Authenticated to 10.11.12.13 ([10.11.12.13]:22) using "publickey". debug2: fd 6 setting O_NONBLOCK debug1: channel 0: new session [client-session] (inactive timeout: 0) debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug3: send packet: type 90 debug1: Requesting @. debug3: send packet: type 80 debug1: Entering interactive session. debug1: pledge: filesystem debug3: client_repledge: enter debug3: receive packet: type 80 debug1: client_input_global_request: rtype @. want_reply 0 debug3: client_input_hostkeys: received RSA key SHA256:wUHHrtUzRxxxxxxxxxxxxxxxxxxxxxB5qLMSDWNo debug3: client_input_hostkeys: received ECDSA key SHA256:W4SXK3/dxxxxxxxxxxxxxxxxxxxxxxx6fueTXUNQ debug3: client_input_hostkeys: received ED25519 key SHA256:x0uTBYxxxxxxxxxxxxxxxxxxx6N9EqdGVTW3gI debug1: client_input_hostkeys: searching /home/user/.ssh/known_hosts for 10.11.12.13 / (none) debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts" debug3: hostkeys_find: found ssh-ed25519 key under different name/addr at /home/user/.ssh/known_hosts:179 debug3: hostkeys_find: found ssh-ed25519 key at /home/user/.ssh/known_hosts:230 debug3: hostkeys_find: found ssh-ed25519 key under different name/addr at /home/user/.ssh/known_hosts:533 debug1: client_input_hostkeys: searching /home/user/.ssh/known_hosts2 for 10.11.12.13 / (none) debug1: client_input_hostkeys: hostkeys file /home/user/.ssh/known_hosts2 does not exist debug3: client_input_hostkeys: 3 server keys: 2 new, 18446744073709551615 retained, 2 incomplete match. 0 to remove debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update debug3: client_repledge: enter debug3: receive packet: type 4 debug1: Remote: /home/remoteuser/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug3: receive packet: type 4 debug1: Remote: /home/remoteuser/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug3: receive packet: type 91 debug2: channel_input_open_confirmation: channel 0: callback start debug2: fd 3 setting TCP_NODELAY debug3: set_sock_tos: set socket 3 IP_TOS 0x10 debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug3: send packet: type 98 debug1: Sending environment. debug3: Ignored env SHELL debug3: Ignored env SESSION_MANAGER debug3: Ignored env WINDOWID debug3: Ignored env QT_ACCESSIBILITY debug3: Ignored env QT_SCREEN_SCALE_FACTORS debug3: Ignored env COLORTERM debug3: Ignored env PYENV_SHELL debug3: Ignored env XDG_CONFIG_DIRS debug3: Ignored env XDG_SESSION_PATH debug3: Ignored env LANGUAGE debug3: Ignored env SSH_AUTH_SOCK debug3: Ignored env SHELL_SESSION_ID debug3: Ignored env MEMORY_PRESSURE_WRITE debug3: Ignored env DESKTOP_SESSION debug1: channel 0: setting env LC_MONETARY = "de_CH.UTF-8" debug2: channel 0: request env confirm 0 debug3: send packet: type 98 debug3: Ignored env SSH_AGENT_PID debug3: Ignored env GTK_RC_FILES debug3: Ignored env XCURSOR_SIZE debug3: Ignored env XDG_SEAT debug3: Ignored env PWD debug3: Ignored env XDG_SESSION_DESKTOP debug3: Ignored env LOGNAME debug3: Ignored env XDG_SESSION_TYPE debug3: Ignored env GPG_AGENT_INFO debug3: Ignored env SYSTEMD_EXEC_PID debug3: Ignored env XAUTHORITY debug3: Ignored env GTK2_RC_FILES debug3: Ignored env HOME debug1: channel 0: setting env LANG = "en_US.UTF-8" debug2: channel 0: request env confirm 0 debug3: send packet: type 98 debug3: Ignored env LS_COLORS debug3: Ignored env XDG_CURRENT_DESKTOP debug3: Ignored env KONSOLE_DBUS_SERVICE debug3: Ignored env MEMORY_PRESSURE_WATCH debug3: Ignored env KONSOLE_DBUS_SESSION debug3: Ignored env PROFILEHOME debug3: Ignored env XDG_SEAT_PATH debug3: Ignored env QTWEBENGINE_DICTIONARIES_PATH debug3: Ignored env INVOCATION_ID debug3: Ignored env KONSOLE_VERSION debug3: Ignored env MANAGERPID debug3: Ignored env KDE_SESSION_UID debug3: Ignored env LESSCLOSE debug3: Ignored env XDG_SESSION_CLASS debug3: Ignored env TERM debug3: Ignored env LESSOPEN debug3: Ignored env USER debug3: Ignored env SSH_ASKPASS_REQUIRE debug3: Ignored env COLORFGBG debug3: Ignored env KDE_SESSION_VERSION debug3: Ignored env PAM_KWALLET5_LOGIN debug3: Ignored env DISPLAY debug3: Ignored env SHLVL debug1: channel 0: setting env LC_MEASUREMENT = "de_CH.UTF-8" debug2: channel 0: request env confirm 0 debug3: send packet: type 98 debug3: Ignored env XDG_VTNR debug3: Ignored env XDG_SESSION_ID debug3: Ignored env XDG_RUNTIME_DIR debug3: Ignored env PYENV_ROOT debug1: channel 0: setting env LC_TIME = "de_CH.UTF-8" debug2: channel 0: request env confirm 0 debug3: send packet: type 98 debug3: Ignored env QT_AUTO_SCREEN_SCALE_FACTOR debug3: Ignored env JOURNAL_STREAM debug3: Ignored env XCURSOR_THEME debug3: Ignored env XDG_DATA_DIRS debug3: Ignored env KDE_FULL_SESSION debug3: Ignored env PATH debug3: Ignored env DBUS_SESSION_BUS_ADDRESS debug3: Ignored env KDE_APPLICATIONS_AS_SCOPE debug1: channel 0: setting env LC_NUMERIC = "deCH.UTF-8" debug2: channel 0: request env confirm 0 debug3: send packet: type 98 debug3: Ignored env debug2: channel 0: request shell confirm 1 debug3: send packet: type 98 debug3: client_repledge: enter debug1: pledge: fork debug2: channel_input_open_confirmation: channel 0: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug3: receive packet: type 99 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug3: receive packet: type 99 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 debug3: receive packet: type 96 debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: chan_shutdown_write: channel 0: (i0 o1 sock -1 wfd 5 efd 6 [write]) debug2: channel 0: output drain -> closed debug3: receive packet: type 98 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug3: receive packet: type 98 debug1: client_input_channel_req: channel 0 rtype @.*** reply 0 debug2: channel 0: rcvd eow debug2: chan_shutdown_read: channel 0: (i0 o3 sock -1 wfd 4 efd 6 [write]) debug2: channel 0: input open -> closed debug3: receive packet: type 97 debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug3: send packet: type 97 debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open:

0 client-session (t4 [session] r0 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock -1 cc -1 io 0x00/0x00)

debug3: send packet: type 1 Connection to 10.11.12.13 closed. Transferred: sent 4048, received 4616 bytes, in 2.4 seconds Bytes per second: sent 1663.2, received 1896.5 debug1: Exit status 0

For some reason, SSH refuses to go on with the public key that it got from the agent:

$ diff -u /tmp/ssh_unsuccessful.log /tmp/ssh_successful.log --- /tmp/ssh_unsuccessful.log 2024-06-18 07:39:00.999950384 +0200+++ /tmp/ssh_successful.log 2024-06-18 07:38:19.950819117 +0200 ...@@ -96,13 +84,7 @@ debug3: ssh_get_authentication_socket_path: path @.***_agent' debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation debug1: get_agent_identities: agent returned 1 keys-debug1: Will attempt key: /home/user/.ssh/id_rsa RSA SHA256:K54mb8bxxxxxxxxxxxxxxxxxxxxxxUUewW2Q-debug1: Will attempt key: /home/user/.ssh/id_ecdsa -debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk -debug1: Will attempt key: /home/user/.ssh/id_ed25519 -debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk -debug1: Will attempt key: /home/user/.ssh/id_xmss -debug1: Will attempt key: /home/user/.ssh/id_dsa +debug1: Will attempt key: /tmp/remotehost.pub ED25519 SHA256:m5vATPxxxxxxxxxxxxxxxxxxxxxxxxVkxTJl59No explicit agent debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 ...

Is there any specific format required for the public key in the "SSH Key" record? I tried with and without comment and even with the host's public key (after all, there should be a way to tell the agent which key it should use for logging in, as testing all of them may cause trouble), but to no avail. The behavior is always the same.

— Reply to this email directly, view it on GitHub https://github.com/Keeper-Security/Commander/issues/1251#issuecomment-2175840951, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZDPG4KCY4SRHWPHDY5XVF3ZIAIWNAVCNFSM6AAAAABJNVI7ESVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNZVHA2DAOJVGE . You are receiving this because you commented.Message ID: @.***>

--

Ayrris Aunario | Senior Software Engineer

Mobile 773.986.1194

This email is confidential and is intended for the recipient(s) addressed herein

[phlibi]

You're absolutely right, that was it! I had this directive in my configuration, but for a reason. I have currently 100 SSH keys and more to come. With them as individual files, I selected the correct one each time when connecting to a host. Now this is probably not possible anymore when using Keeper's ssh-agent and as expected, I get this:

$ ssh remoteuser@10.11.12.13
Received disconnect from 10.11.12.13 port 22:2: Too many authentication failures
Disconnected from 10.11.12.13 port 22

Is there way to tell the commander/agent/vault to only offer the key for which the hostname/IP matches? Or can I somehow upload the host key to perform the matching on this basis? Since a vault can easily contain a number of SSH keys, I suppose that this could affect other people as well...

I'm not entirely sure, but it looks like the extension mechanism would allow the agent to apply such constraints. However, I've so far not discovered how this would be used, even if the agent would support it.

[aaunario-keeper]

That's a valid concern, as most SSH servers are set up to allow only up to ~6 authentication attempts per client (meaning without a way to map a key to a host, you could only have that many SSH keys in your vault in order for the agent to work as intended). The OpenSSH extension mechanism could indeed be used to address this issue (though obviously only for those using that particular client), and I suspect this is something we will add support for in the near-future.

As a short-term solution, you could try using Commander's ssh command instead (documentation here), which would allow you to use a specific record to authenticate with your specified host.

[phlibi]

Maybe I'm doing something wrong, but the results are the same when I try it with commander's built-in ssh command:

Decrypted [350] record(s)
My Vault> ssh Folder/hostname
An unexpected error occurred: [Errno 111] Connection refused. Type "debug" to toggle verbose error output
My Vault> ssh-agent start
Starting Commander in SSH Agent Mode...
Loading keys...
Record ...
...
Loaded 100 private key(s)
SSH Agent Started.

Note: To use the Commander SSH Agent, run the below command in your terminal or startup file:
export SSH_AUTH_SOCK=/home/user/.keeper/keeper.user@remoteuser.ch.ssh_agent

My Vault> ssh Folder/hostname
Identity "hostname" has been added
Connecting to "hostname" ...
SSH Agent has been unlocked
Received disconnect from 10.11.12.13 port 22:2: Too many authentication failures
Disconnected from 10.11.12.13 port 22
Identity "hostname" has been removed

This looks a bit strange. Anyway, this integrated ssh command probably wouldn't make me too happy, as it would restrict me to a single connection at a time (unless I start multiple keeper shells) and may cause trouble for more "advanced" usage (tunneling, scp and friends, scripting, etc.). So I hacked up a helper program that appears to solve the trouble for me:

#!/bin/sh

# This script should be invoked when establishing an ssh connection to provide
# a just-in-time public key identity file for a host to resolve the
# "Too many authentication failures" problem when the ssh-agent contains many
# keys.
#
# Use it like so:
# ssh -i $(sshak keyname) user@host
# sshak: This script ("ssh-agent key")
# keyname: The name/comment to look for in the output of `ssh-add -L`
#
# When invoked this way, the script queries the identities of the ssh-agent
# to find a public key with the given name, which is then saved as a
# temporary file. The name of the file is returned, so that ssh can pick up
# the public key from it and use the corresponding private key in the ssh-agent
# for authentication.
#
# CAVEAT: The temporary file is not deleted after use and may cause some
# clutter in the temporary directory.

# Note: The given argument is anchored to the end of the line to avoid
# accidental partial matches like "keyname1" matching "keyname10".
IDENTITY=$(ssh-add -L | grep "$1$")
# IDENTITY must contain exactly one line, not zero and not multiple.
if [ -z "$IDENTITY" ]; then
    echo "No identity found for $1" >&2
    echo "no-such-identity"
    exit 1
fi
if [ $(echo "$IDENTITY" | wc -l) -ne 1 ]; then
    echo "Multiple identities found for $1" >&2
    echo "multiple-identities"
    exit 2
fi
# Create the temporary public key file.
PUBKEY_FILE=$(mktemp -t sshak.XXXXXX.pub)
echo "$IDENTITY" > "$PUBKEY_FILE"
echo "$PUBKEY_FILE"

Saved the script to $HOME/.local/bin/sshak and made it executable. No I can say

ssh -i $(sshak hostname) remoteuser@10.11.12.13

and it will look up the public key for hostname in the running ssh-agent, write the key to a temporary file and pass this file as identity to the ssh command, which then uses exactly this key from the agent to log in. It's not particularly clean, but it works until there's a better solution.

Thanks for your help!