Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH: Agent Refused Operation #105

Open
bitmage opened this issue Oct 15, 2021 · 15 comments
Open

SSH: Agent Refused Operation #105

bitmage opened this issue Oct 15, 2021 · 15 comments

Comments

@bitmage
Copy link

bitmage commented Oct 15, 2021

I have the following two devices:

  • Yubikey Nano | Firmware 5.12
  • Yubikey 5C NFC | Firmware 5.2.7

My laptop is running Manjaro Linux (Kernel 5.10.70).

Steps taken:

  1. I have run yubikey-agent -setup on each hardware device. No problems, received a public key for each.
  2. I placed the public keys for both of them in the .ssh/authorized_keys file on remoteserver
  3. I added IdentityAgent /run/user/1000/yubikey-agent/yubikey-agent.sock to the .ssh/config entry for remoteserver on my laptop.
  4. yubikey-agent is running and bound to the above socket.
# Yubikey Nano | Firmware 5.12
$ ssh remoteserver
sign_and_send_pubkey: signing failed for ECDSA "YubiKey #XXXXXXXX PIV Slot 9a" from agent: agent refused operation
(user@192.168.1.38) Password:

# Yubikey 5C NFC | Firmware 5.2.7
ssh remoteserver
sign_and_send_pubkey: signing failed for ECDSA "YubiKey #YYYYYYYY PIV Slot 9a" from agent: agent refused operation
(user@192.168.1.38) Password:

I'm on Manjaro, and the yubikey-agent logs are getting dumped into the syslogs. Is there a way to configure where the logs go?

With journalctl | grep yubikey-agent I see:

Oct 15 13:30:09 laptop yubikey-agent[77531]: 2021/10/15 13:30:09 Reconnecting to the YubiKey...
Oct 15 13:30:09 laptop yubikey-agent[77531]: 2021/10/15 13:30:09 agent 11: could not reach YubiKey: selecting piv applet: command failed: transmitting request: an attempt was made to end a non-existent transaction
Oct 15 13:30:25 laptop yubikey-agent[77531]: 2021/10/15 13:30:25 Reconnecting to the YubiKey...
Oct 15 13:30:25 laptop yubikey-agent[77531]: 2021/10/15 13:30:25 agent 11: could not reach YubiKey: connecting to smart card: the smart card cannot be accessed because of other connections outstanding
Oct 15 13:30:36 laptop yubikey-agent[77531]: 2021/10/15 13:30:36 Reconnecting to the YubiKey...
Oct 15 13:30:36 laptop yubikey-agent[77531]: 2021/10/15 13:30:36 agent 13: pin prompt: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>

I'm not really sure what else to do with this. Did I miss a step? At what point is it supposed to ask me for pin entry? I'm surprised also that it is using ECC with the 5.12 firmware device which is said not to support ECC. I'm not sure how the key generation succeeded there.
@bitmage
Copy link
Author

bitmage commented Oct 15, 2021

Maybe related: #6, #32

@deuill
Copy link
Contributor

deuill commented Oct 18, 2021

There was a recent upgrade to the piv-go dependency, from which these error messages originate. Does this still fail against the latest version (you'll need to have Go installed and do go install filippo.io/yubikey-agent@f35f7d1754893ab74970e9a72909b7901d2e1718 to get the specific version)?

@terrell-r
Copy link

terrell-r commented Oct 19, 2021
edited

I'm in the same boat, as a temporary workaround run:
eval ssh-agent

  • markdown, back ticks around ssh-agent

@KristijanL
Copy link

i got two devices
YubiKey 5C NFC
Firmware: 5.4.3

ssh user@server.test
sign_and_send_pubkey: signing failed for RSA "YubiKey #17110102 PIV Slot 9a" from agent: agent refused operation
user@server.test: Permission denied (publickey).

YubiKey NEO
Firmware: 3.4.3

ssh user@server.test
Linux server.test 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64
Last login: Wed Nov 17 06:21:51 2021 from user.test

i have tested with the filippo.io/yubikey-agent@f35f7d1754893ab74970e9a72909b7901d2e1718 - still the same issue, just with 5C NFC device.

@Spitfireap
Copy link

Hi,

same issue here with a Yubikey 5 NFC. Firmware is 5.4.3.

systemctl --user status yubikey-agent show this error :

déc. 07 18:27:34 Desktop yubikey-agent[1852]: 2021/12/07 18:27:34 Reconnecting to the YubiKey...
déc. 07 18:27:42 Desktop yubikey-agent[1852]: 2021/12/07 18:27:42 agent 13: pin prompt: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>

It did work when I set it up... :/

@Spitfireap
Copy link

Spitfireap commented Dec 9, 2021
edited

After some test, reboot doesn't solve the issue, but disabling and re-enabling yubikey-agent service seems to work ?! I'll try to do more in depth testing :).

@aaomidi
Copy link

aaomidi commented Mar 16, 2022

Same issue here, restarting & disable/enabling the yubikey-agent did not solve the problem.

@aaomidi
Copy link

aaomidi commented Mar 16, 2022
edited

I've built from main and now the error I get is:

agent 13: pin prompt: pinentry: unexpected response: "S ERROR curses.isatty 83918950 "

@Spitfireap
Copy link

Try this : open a terminal, unplug your Yubikey, replug, wait a few second and replug. It works for me. It was GPG agent that was hijacking the key

@smlx
Copy link

smlx commented Mar 17, 2022

If gpg-agent is taking a transaction you might be able to stop it doing that by adding disable-scdaemon to gpg-agent.conf.

@sebastianblunt
Copy link

I'm running into this issue only when running yubikey-agent using systemd. If I stop the systemd service and run yubikey-agent -l /run/user/1000/yubikey-agent/yubikey-agent.sock from a terminal then it works correctly. I got it working by adding

Environment="DISPLAY=:0"
Environment="XAUTHORITY=/home/sebastian/.Xauthority"

to the systemd service. Not sure why it wasn't able to pick that up automatically or if there's a cleaner way to solve the issue.

Probably also related to #92.

@fosskers
Copy link

I get the error even when running yubikey-agent manually. I'm also told this (directly from the agent):

2022/09/15 10:49:25 agent 27: ssh: parse error in message type 27
2022/09/15 10:49:25 Connecting to the YubiKey...
2022/09/15 10:49:26 agent 13: pin prompt: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>

@NA3
Copy link

NA3 commented Oct 12, 2022

go install filippo.io/yubikey-agent@f35f7d1754893ab74970e9a72909b7901d2e1718

this have solve my issue

@upsj
Copy link

upsj commented Jul 11, 2023
edited

My workaround (WSL2 + Ubuntu on Windows) for this issue (or a related one, I also got the S ERROR curses.isatty 83918950 error) was to install pinentry-gtk-2 and fake a TTY and display for it by adding the following two environment variables to its systemd config:

[Service]
Environment=DISPLAY=:0
Environment=GPG_TTY=/dev/pts/1

@mutlusun
Copy link

mutlusun commented Feb 9, 2024

Hello,

I encountered the same errors (S ERROR curses.isatty 83918950 and connecting to smart card: the smart card cannot be accessed because of other connections outstanding). Thanks for providing help here!

In my case, yubikey-agent worked fine after enabling/disabling the service or a restart of the service after a reboot. I came to the conclusion that some ressource seems not to be available at the start of the service. I tried pcscd.socket and pcscd.service and they are not the problem.

However, the following line in the service file helped:

[Service]
ExecStartPre=/bin/sleep 10

After that everything works fine. I don't understand what resource might be missing as the yubikey-agent service starts in user context, so everything else should already be started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests