Getting stuck after "sign_and_send_pubkey"

[elieux]

I keep having weird issues with SSH getting stuck when trying to authenticate using keys and I wonder whether KeeAgent could be at fault here.

1. Using SSH from MSYS2, loading key through KeeAgent's special socket. This happened to me at least twice, several days apart, also with at least two different servers (my VPS and GitHub).
2. Using OpenSSH from Windows, loading key through KeeAgent's special pipe. I was gonna try out this mode, I think it worked once and then it stopped. Tried two different VPSs.
3. Using Unison-SSH wrapper and Plink, loading key through KeeAgent. This might have been a different issue, I don't remember precisely.

When it starts, the issue keeps happening consistently, but it seems to get resolved later by itself. During the time I took to write this ticket for example, case 2 started working again.

At the point where the client gets stuck, I'd expect a confirmation dialog from KeeAgent, but it doesn't show up.

The relevant log snippet from case 2 right now (redacted):

debug1: Will attempt key: key1 RSA SHA256:fingerprint agent debug1: Will attempt key: key2 RSA SHA256:fingerprint2 agent debug1: Will attempt key: $HOME/.ssh/id_rsa debug1: Will attempt key: $HOME/.ssh/id_dsa debug1: Will attempt key: $HOME/.ssh/id_ecdsa debug1: Will attempt key: $HOME/.ssh/id_ecdsa_sk debug1: Will attempt key: $HOME/.ssh/id_ed25519 debug1: Will attempt key: $HOME/.ssh/id_ed25519_sk debug1: Will attempt key: $HOME/.ssh/id_xmss debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com debug1: kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised) debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: key1 RSA SHA256:fingerprint agent debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password debug1: Offering public key: key2 RSA SHA256:fingerprint2 agent debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: key2 RSA SHA256:fingerprint2 agent debug3: sign_and_send_pubkey: RSA SHA256:fingerprint2 debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:fingerprint2

[elieux]

This time I took a peek at the task manager and I can see an entry appear whenever a confirmation dialog is supposed to show up.

By the way, it could just as well be due to something on my PC, but I'm not quite sure how to rule that out.

[dlech]

KeeAgent version? Agent mode or Client mode?

[elieux]

KeeAgent v0.13.5.0 agent mode.

[FunnyDingo]

I've the same issue but only with an old RSA key. I never have problems with my ED25519 keys.

Sometimes the RSA key works, sometimes not. I could not find any regularity. Only happens in Windows OpenSSH. With PuTTY it works without any issue.

One difference between my ED25519 and the RSA key: I had "Use confirm constraint" enabled for the RSA key. Disabled it now.

I will watch it.

[FunnyDingo]

Today I've seen this behavior also with an ED25519 key. But also a key with "Use confirm constraint" enabled. I disabled it and restartet KeePass to have a "clean state". Afterwards it worked.

Still will watch it.

[dlech]

This sounds like something is blocking the main UI thread in KeePass preventing the confirmation dialog from being shown.

Do you have any other extensions installed?

[FunnyDingo]

Yes (all in latest version):

• ColoredPassword
• KeeChallange
• KeePassRPC

[dlech]

Does keeagent still lock up if you disable all other extensions?

[FunnyDingo]

I've to test it over some more days because the problem does not appear every time.

[FunnyDingo]

Hm, unfortunately I'm able reproduce the problem with all other plugins disabled.

[msabatier]

I can confirm that I can reproduce the same kind issue when I activate the global config "Always require user confirmation when a client program requests to use a key" : when I try to connect to a host with windows openssh (OpenSSH_for_Windows_8.6p1) the confirmation pop up never appears and connection gets stuck.

Interestingly the pop-up appears correctly and everything works fine when I connect with putty.

When I deactivate the user confirmation and just use "Show a notification when a key is used", I can successfully connect both with putty and windows openssh.

I have Keepass v2.52 and KeeAgent 0.13.5.0 on windows 11. I don't have any other extension installed.

Unfortunately I don't have the required setup at hand to generate a debug trace.

[ExtraClock]

It'd be great if anyone with stable reproducibility of the issue could try the plugin version from PR https://github.com/dlech/KeeAgent/pull/394

[elieux]

I did a quick test:

• official v0.13.6.0 has the issue as described
• experimental v0.13.5.0 from #394 doesn't have the issue

I wouldn't say it's 100 percent, but it looks good.

[ExtraClock]

official v0.13.6.0 has the issue as described

I can confirm the same. For the last 3 month I used my own custom built plugin and had no single issue with it getting stuck. As I upgraded to the 0.13.6 it started getting stuck again.

@elieux , I attached to the PR #394 KeeAgent_v0.13.6-fix387.zip that is based on another approach. I'll appreciate if you test it as well.

[elieux]

I attached to the PR https://github.com/dlech/KeeAgent/pull/394 KeeAgent_v0.13.6-fix387.zip that is based on another approach. I'll appreciate if you test it as well.

Confirming that this one also immediately worked.

[ExtraClock]

I attached to the PR #394 KeeAgent_v0.13.6-fix387.zip that is based on another approach. I'll appreciate if you test it as well.

Confirming that this one also immediately worked.

@elieux , FYI, you can use a fresh build from the GitHub actions while you are waiting for the next release: https://github.com/dlech/KeeAgent/actions/runs/7604354479