Authorization fails when using an ssh-agent

[eminence]

I'm trying to use a key loaded into an ssh-agent for authentication. This is not working. However, the key works when loaded from disk using load_secret_key.

I generated a new RSA key with ssh-keygen.

Here's the fingerprint of the key:

❯ ssh-keygen -lf lxd_deleteme
2048 SHA256:dd8u94XvU0tJfdPiL/YpU4G0SHNBDJBvrP/6T8HVLO8 lxd@lin-lxd01sim (RSA)

I've also loaded it into an ssh-agent. The ssh-agent reports the identical fingerprint:

❯ ssh-add -l
2048 SHA256:dd8u94XvU0tJfdPiL/YpU4G0SHNBDJBvrP/6T8HVLO8 ./lxd_deleteme (RSA)

I'm connecting to the ssh-agent like this:

let mut agent = russh_keys::agent::client::AgentClient::connect_env().await.unwrap();
let mut identities = agent.request_identities().await.unwrap();
assert_eq!(identities.len(), 1); 
let id = identities.pop().unwrap();
println!("Key from ssh-agent: {} {}", id.name(), id.fingerprint());

And I'm loading the key from disk like this:

 let key_pair = load_secret_key("lxd_deleteme", None).unwrap();

I first try authentication using authenticate_future and then fallback to authenticate_publickey.

Here's what the full code looks like:

#[tokio::main]
async fn main() {
    env_logger::init();
    let config = russh::client::Config::default();
    let config = Arc::new(config);
    let sh = Client {};
    let host = "127.0.0.1";

    let mut agent = russh_keys::agent::client::AgentClient::connect_env().await.unwrap();
    let mut identities = agent.request_identities().await.unwrap();

    assert_eq!(identities.len(), 1);
    let id = identities.pop().unwrap();
    println!("Key from ssh-agent: {} {}", id.name(), id.fingerprint());

    let key_pair = load_secret_key("lxd_deleteme", None).unwrap();
    if let russh_keys::key::KeyPair::RSA { key, hash } = &key_pair {
        println!("Key loaded from disk: hash={hash:?}");
    }

    let mut session = russh::client::connect(config, (host, 22), sh).await.unwrap();
    println!("Connected!");

    // first try with agent auth
    let (_, auth_res) = session.authenticate_future("root", id, agent).await;
    let auth_res = auth_res.unwrap();
    dbg!(auth_res);
    if !auth_res {
        println!("Auth failed using ssh-agent, trying key from disk");
    }
    let auth_res = session
        .authenticate_publickey("root", Arc::new(key_pair))
        .await
        .unwrap();
    dbg!(auth_res);

    println!("=== auth: {}", auth_res);
}

And here's the output:

Key from ssh-agent: rsa-sha2-512 dd8u94XvU0tJfdPiL/YpU4G0SHNBDJBvrP/6T8HVLO8
Key loaded from disk: hash=SHA2_256
check_server_key: e17SK8zBaPtvQBpIcnt534kbxe2Mhi0tr5XOc/FUR/E
Connected!
src/main.rs:52] auth_res = false
Auth failed using ssh-agent, trying key from disk
src/main.rs:60] auth_res = true
=== auth: true 

Any suggestions about what's going wrong, or how to debug this?

Version info

I'm using russh e5f1224

[eminence]

I'm not familiar with russh's code, but I'm hoping to find some time to dig into this issue in the coming weeks. If anyone has any hints about how to debug this, please let me know

[Eugeny]

Running with RUST_LOG=debug should give a detailed trace of what's going on.

[eminence]

I tried that, but unfortunately the result wasn't that enlightening to me. Would it be useful if I uploaded the debug traces to this issue, though?

[Eugeny]

Definitely!