Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

knife bootstrap failed with ssh_agent_signing enabled in config.rb #9017

shanyungyang opened this issue Oct 23, 2019 · 4 comments


Copy link

@shanyungyang shanyungyang commented Oct 23, 2019


When ssh_agent_signing is enabled in config.rb, knife bootstrap will result in authentication error. However, turning off ssh_agent_signing and using a RSA private key in client_key work totally fine.

Chef Version

14.14.25 as well as 15.4.45

Platform Version

Debian 10.1 Buster

Replication Case

Enable ssh_agent_signing in config.rb as following, and run a validatorless bootstrap for some node.

client_key        "#{ENV['HOME']}/.chef/my-public-key.pem"
ssh_agent_signing true

Client Output

$ knife bootstrap -N chef-test-1 -U root -r 'recipe[chef-client]' -V
Connecting to
The authenticity of host ' ()' can't be established.
fingerprint is SHA256:hHtoY5Qa0mo+0W+6BBPH+OAgOJ+M0Xw/19GwCwr2eIE.

Are you sure you want to continue connecting
? (Y/N) y
Connecting to
Creating new client for chef-test-1
Creating new node for chef-test-1
ERROR: Mixlib::Authentication::AuthenticationError: Unable to sign request with ssh-agent. Make sure your key is loaded with ssh-add: Net::SSH::Authentication::AgentError agent could not sign data with requested identity)

Bug Trace

This bugs happens in Chef::Knife::Bootstrap::ClientBuilder. When bootstrapping a new node, a new client key is created and assigned to its rest API object.

def client_rest
@client_rest ||=, client_name: node_name, signing_key_filename: client_path)

Since the client key is newly generated with private part, this ServerAPI object should not use SSH agent to sign its request. However there is no way to tell ServerAPI not to enable SSH agent signing during initialization. It always accepts the configured value.

def initialize(url = Chef::Config[:chef_server_url], options = {})
# # If making a change here, also update Chef::Knife::Raw::RawInputServerAPI.
options[:client_name] ||= Chef::Config[:node_name]
options[:raw_key] ||= Chef::Config[:client_key_contents]
options[:signing_key_filename] ||= Chef::Config[:client_key] unless options[:raw_key]
options[:ssh_agent_signing] ||= Chef::Config[:ssh_agent_signing]
options[:signing_key_filename] = nil if chef_zero_uri?(url)
options[:inflate_json_class] = false
super(url, options)


This comment has been minimized.

Copy link

@vsingh-msys vsingh-msys commented Oct 23, 2019

Hey @shanyungyang thanks for reporting the issue.

We have added ssh-agent support from chef-14.2+ onwards.

Could you please go through the blog if you missing something?


This comment has been minimized.

Copy link

@lamont-granquist lamont-granquist commented Oct 23, 2019

@vsingh-msys the problem here is that validatorless bootstrapping is being used and the generated client is the one that will be sent to the remote host. It has just been created on the client and we don't publish that into the ssh-agent. It gets used, however, by the validatorless bootstrapping to setup the node via that Chef::ServerAPI object. That one particular ServerAPI object needs to never do ssh-agent signing.


This comment has been minimized.

Copy link

@shanyungyang shanyungyang commented Oct 23, 2019

Hi @vsingh-msys

Yes I think my ssh-agent setup is correct, since every knife sub-command works fine except bootstrap.


This comment has been minimized.

Copy link

@vsingh-msys vsingh-msys commented Oct 23, 2019

Got it 👍 thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
3 participants
You can’t perform that action at this time.