SSH key not working

I’m trying to set up my VPS. I keep getting the following error when I log in as either root or second user. And if I block password login I lock myself out.

sign_and_send_pubkey: signing failed for RSA “/home/e/.ssh/id_rsa” from agent: agent refused operation

I can see the id_rsa file (and .pub) files on my laptop in the folder above. I can see the authorized key on the VPS terminal under ~/.ssh (and root). But the keys don’t appear to be talking to each other. I’ve changed ownership and permissions and they all seem to have taken.

Any ideas? As far as I am aware I haven’t done anything to keys I shouldn’t have.
Thanks, Emily

Hi Emily. I found LearnLinuxTV to be a useful channel to learn various things related to Linux. Here’s a link to a SSH tutorial that he did. It is rather long but IMO worth the time spent.

Hope this helps you to figure out where the problem lies.

This is very useful. Thanks Midline!

Hasn’t helped me fix it yet but I can see where it is going wrong!

I have found where it is failing…but can’t see why…does anyone have any ideas??? I’ve highlighted the first line that is different from the video Midline sent me.

Only other thing I have done is change permissions on authorized_keys to 0644 instead of 0600 which I came across yesterday. Didn’t do anything for me though!

Thanks,

e@e-Precision-3560:~$ ssh -v root@x.x.x.x
OpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1 11 Sep 2018
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file /home/e/.ssh/id_rsa type 0
debug1: identity file /home/e/.ssh/id_rsa-cert type -1
debug1: identity file /home/e/.ssh/id_dsa type -1
debug1: identity file /home/e/.ssh/id_dsa-cert type -1
debug1: identity file /home/e/.ssh/id_ecdsa type -1
debug1: identity file /home/e/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/e/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/e/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/e/.ssh/id_ed25519 type -1
debug1: identity file /home/e/.ssh/id_ed25519-cert type -1
debug1: identity file /home/e/.ssh/id_ed25519_sk type -1
debug1: identity file /home/e/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/e/.ssh/id_xmss type -1
debug1: identity file /home/e/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Ubuntu-5ubuntu1.2
debug1: match: OpenSSH_8.4p1 Ubuntu-5ubuntu1.2 pat OpenSSH
compat 0x04000000
debug1: Authenticating to x.x.x.x:22 as ‘root’
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:gowH2aBC0EPY5ZyshT2HkQe8MN0WrwdDxMSYmY0rejc
debug1: Host ‘x.x.x.x’ is known and matches the ECDSA host key.
debug1: Found key in /home/e/.ssh/known_hosts:3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/e/.ssh/id_rsa RSA SHA256:pEDjOm44TdP4NK+bCILHoVhrETRHyzz5iKkOUd3vtuM agent
debug1: Will attempt key: /home/e/.ssh/id_dsa
debug1: Will attempt key: /home/e/.ssh/id_ecdsa
debug1: Will attempt key: /home/e/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/e/.ssh/id_ed25519
debug1: Will attempt key: /home/e/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/e/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/e/.ssh/id_rsa RSA SHA256:pEDjOm44TdP4NK+bCILHoVhrETRHyzz5iKkOUd3vtuM agent
debug1: Server accepts key: /home/e/.ssh/id_rsa RSA SHA256:pEDjOm44TdP4NK+bCILHoVhrETRHyzz5iKkOUd3vtuM agent
sign_and_send_pubkey: signing failed for RSA “/home/e/.ssh/id_rsa” from agent: agent refused operation
debug1: Trying private key: /home/e/.ssh/id_dsa
debug1: Trying private key: /home/e/.ssh/id_ecdsa
debug1: Trying private key: /home/e/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/e/.ssh/id_ed25519
debug1: Trying private key: /home/e/.ssh/id_ed25519_sk
debug1: Trying private key: /home/e/.ssh/id_xmss
debug1: Next authentication method: password

@TNlass

While I am also pretty new to the SSH capability, I did find an article on the web that seems to solve your problem. I will copy the steps they mention here below:

Run ssh-add command on the client machine to add the SSH key to the agent:

$ ssh-add

If ssh-add causes the message as follows, it means it is required to set more restrictive permissions on the private key file:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0744 for ‘/home/user/.ssh/id_rsa’ are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

To set the proper permissions, execute:

$ chmod 600 /home/user/.ssh/id_rsa

Once the permissions are fixed, the “signing failed: agent refused operation” issue should be solved and you should be able to SSH normally.

I hope this helps,

Michael

I’ll look in to this. I didn’t get the warning when I tried ssh-add. Private key is at 600 already. Public key was too but I changed that to 644 try. But owner ship is 700.

Hmmm. more to think about.

Thanks!

Just an update. I got it to work. I had generated the ssh key and during the process I was asked for a passphrase. I put one in. I deleted my key from everywhere and generated a new one without a passphrase.

Midline - I really liked that video. I went back to look at it this morning and caught that he said it is a good idea to use a passphrase but he didn’t actually put one in.

mva - I’m all caught up on my permissions codes now!

1 Like