ntrippar
commented
6 years ago I totally miss this issue, you still with this happening? if yes i will tell you how to log some info so i can know why that is happening. maybe a crash sekey.
Open Rudi9719 opened 6 years ago
ntrippar
commented
6 years ago I totally miss this issue, you still with this happening? if yes i will tell you how to log some info so i can know why that is happening. maybe a crash sekey.
Rudi9719
commented
6 years ago So I got this issue to come back again. Sorry, I didn't get a notification that you replied. However this time I can give you some more information. This time it broke immediately after an automatic/security update. I tried to generate a new key and added it to a host, tried to SSH in, and it gave me the same error twice before prompting for my password. My email is rudi at nightmare dot haus if you need more logging information and I don't reply here :)
Rudi9719
commented
6 years ago I did brew cask reinstall, however my old keys survived that, and I still got an error when trying to use them.
ntrippar
commented
6 years ago I will create a new version today with a debub parameter and send you the link, try to check on the ssh -v and send me the log of what is saying when the ssh is contacting sekey.
On Thu, May 10, 2018 at 16:27 Gregory Rudolph notifications@github.com wrote:
I did brew cask reinstall, however my old keys survived that, and I still got an error when trying to use them.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ntrippar/sekey/issues/17#issuecomment-388175252, or mute the thread https://github.com/notifications/unsubscribe-auth/AAqM32jMve8irSJr1BBTu2LjdCUR766Nks5txKKqgaJpZM4SaIDS .
Rudi9719
commented
6 years ago zero:~ gregory$ ssh -v vandort OpenSSH_7.6p1, LibreSSL 2.6.2 debug1: Reading configuration data /Users/gregory/.ssh/config debug1: /Users/gregory/.ssh/config line 1: Applying options for * debug1: /Users/gregory/.ssh/config line 8: Applying options for vandort debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 48: Applying options for * debug1: Connecting to 0.0.0.0 port 22. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file /Users/gregory/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/gregory/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/gregory/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/gregory/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/gregory/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/gregory/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/gregory/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/gregory/.ssh/id_ed25519-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.6 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u3 debug1: match: OpenSSH_7.4p1 Debian-10+deb9u3 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 0.0.0.0:22 as 'gregory' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:NzImIK3P7qOqoPnqbphPAOMQzIfO9iI2BUYlVQ6iRcf debug1: Host '0.0.0.0' is known and matches the ECDSA host key. debug1: Found key in /Users/gregory/.ssh/known_hosts:78 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: ECDSA SHA256:9kxH8H8CvplSM5no ecdsa-sha2-nistp256 debug1: Authentications that can continue: publickey,password debug1: Offering public key: ECDSA SHA256:rus4lg5ZCeCsE ecdsa-sha2-nistp256 debug1: Server accepts key: pkalg ecdsa-sha2-nistp256 blen 104 sign_and_send_pubkey: signing failed: communication with agent failed debug1: Trying private key: /Users/gregory/.ssh/id_rsa debug1: Authentications that can continue: publickey,password debug1: Trying private key: /Users/gregory/.ssh/id_dsa debug1: Trying private key: /Users/gregory/.ssh/id_ecdsa debug1: Trying private key: /Users/gregory/.ssh/id_ed25519 debug1: Next authentication method: password
Rudi9719
commented
6 years ago Wow that looks terrible
ntrippar
commented
6 years ago Ok, seems that is a problem with the comunication with the agent, can you check this two things.
ps -ax|grep sekeyit should appear /Applications/SeKey.app/Contents/MacOS/sekey --daemon
env|grep SSH_AUTH_SOCKhere should be SSH_AUTH_SOCK=/Users/{user}/.sekey/ssh-agent.ssh
check those both stuff, also sorry about the delay to build the verbose version of sekey, I will build today and also push some other updates.
Rudi9719
commented
6 years ago 754 ?? 0:00.95 /Applications/SeKey.app/Contents/MacOS/sekey --daemon for ps, and
SSH_AUTH_SOCK=/Users/gregory/.sekey/ssh-agent.ssh for env
spitfire
commented
6 years ago Same here - process is running, environment variable is set, yet I get the same error.
jtescher
commented
6 years ago Same issue. Installed via homebrew, process running and env var is set. Is there a debug version available? or does the daemon have logs that might help debug further?
ntrippar
commented
6 years ago I need to upload the version that does all the logging, main issue I don't want to ship that version and in a week have to ship another one (and patch every user), @jtescher how I can contact you directly? so I can tell you how to get some info from your system and I will fix this
spitfire
commented
6 years ago @ntrippar did you get to contact @jtescher ? If not, I am experiencing the same issue, so if you still need that information, please contact me.
ntrippar
commented
6 years ago @spitfire Yes i contacted with him, but in his case he already fixed. please contact me at my ntrippar at gmail.com or if you want via twitter pm so i can help you fix it, (really want to close this ticket but untill i dont have a solution that really works i cant)
bolapara
commented
5 years ago Hi there. I'm experiencing a similar issue after my machine was re-imaged by Apple support:
machine:~ user$ RUST_LOG=debug /Applications/SeKey.app/Contents/MacOS/sekey --daemon Pipe deleted binding to /Users/user/.sekey/ssh-agent.ssh DEBUG:ssh_agent::agent: handling new connection DEBUG:ssh_agent::protocol: reading request DEBUG:ssh_agent::agent: request: RequestIdentities DEBUG:ssh_agent::agent: handler: Identities([Identity { key_blob: [snip], key_comment: "ecdsa-sha2-nistp256" }, Identity { key_blob: [snip], key_comment: "ecdsa-sha2-nistp256" }]) DEBUG:ssh_agent::protocol: reading request DEBUG:ssh_agent::agent: request: SignRequest { pubkey_blob: [snip], data: [snip], flags: 0 } DEBUG:ssh_agent::agent: handler: Error { details: "Error trying to sign data" }
Installed via brew cask, originally, and restored my time machine backup when I received the repaired machine. I reinstalled via brew cask to see if that fixes it and it did not. Keys are still listed when I do a list-keys.
bolapara
commented
5 years ago As far as ssh itself:
debug1: Offering public key: ecdsa-sha2-nistp256 ECDSA SHA256:snip agent debug1: Server accepts key: ecdsa-sha2-nistp256 ECDSA SHA256:snip agent sign_and_send_pubkey: signing failed: communication with agent failed
Also, I can successfully export the public key and it matches what I already had in my backup.
I built a test version with some print statements in handler.rs not realizing that I'd need to sign the build to use it and unfortunately I don't currently have a way to do that.
ntrippar
commented
5 years ago I found the issue here, and i will resolve and push the code with the new agent.
So when we are creating the private key we use kSecAttrAccessibleWhenUnlockedThisDeviceOnly
this mean
This is recommended for items that need to be accessible only while the application is in the foreground. Items with this attribute do not migrate to a new device. Thus, after restoring from a backup of a different device, these items will not be present.also from the ios security guide
The class kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
behaves the same as kSecAttrAccessibleWhenUnlocked; however, it is
available only when the device is configured with a passcode. This class
exists only in the system keybag; they:
• Don’t sync to iCloud Keychain
• Aren’t backed up
• Aren’t included in escrow keybags.
If the passcode is removed or reset, the items are rendered useless by
discarding the class keys.so the main issue is I also saved the public key on the keychain (this is wrong), I should only keep the references (SecRef) for the privates one and if the user want to list I list the references and generate the public in the moment the user want to export
I will fix this and also add a note to the README
phroggyy
commented
3 years ago @ntrippar what's the status on this now? I'm running into this now, same issue. Server accepts the public key, but sekey fails to sign, same error as above.
martinpaljak
commented
3 years ago The private key not being exportable and thus restorable on a machine reinstall is the expected behavior. You should have procedures in place how to replace "lost" SSH keys and apply it when re-imaging a device. As the public key is stored as "plaintext" data in the keychain, it gets re-initiated, but the private key is lost forever (by design).
phroggyy
commented
3 years ago I've done no reinstall, the key is available in sekey --list-keys and I can export the public key
chrisportela
commented
3 years ago I am having this issue now too. It happens once after seemingly a few hours and then it works fine again.
Not sure what happened, but I when I try to SSH into FreeBSD, macOS, Ubuntu, or Debian, I get
sign_and_send_pubkey: signing failed: communication with agent failedand prompted for my password. I can see my keys in --list-keys, and have checked that they're in the authorized_keys files on all hosts.