Yubikey + SSH Keys + xubuntu
So I have a yubikey with my SSH private key on them with a PIN.
When trying to SSH to a host on xubuntu with my Yubikey in it's USB port, ssh won't use the key. It does find the key, but it exits everytime with the error "sign_and_send_pubkey: signing failed for ECDSA-SK "" from agent: agent refused operation".
A post[1] on superuser.com has a potential fix. The problem is that the ssh-agent doesn't know how to ask you for your PIN.
Fixing this is making sure ssh-agent knows how to execute 'ssh-askpass' (you might need to apt-get install it first), so it can ask the PIN. When running the following, everything start to work:
eval "$(ssh-agent -s; SSH_ASKPASS=/usr/bin/ssh-askpass)"
However if you want this to permanent, you would try to stick it in your .bashrc or .profile.
To prevent multiple ssh-agents running when opening multiple terminals (.bashrc gets ran every time you open a terminal), I decided to put it in .profile. And here is where it goes wrong.
Apparantly gnome-keyring-daemon runs after executing .profile to fork it's ssh-agent. This will overwrite SSH_AUTH_SOCK environment, and we're stuck again with the gnome-keyring-daemon ssh-agent, which does not know how to execute ssh-askpass. Apparently when running normal ubuntu with full gnome this isn't a problem, because it will generate the ssh-askpass popup and ask for the PIN.
On xubuntu you need to do the following:
- Open xfce4-session-settings
- Go to the tab 'advanced'
- Disable 'Launch GNOME services on startup'
- Restart your system (a logout will still keep systemd running all backend services)
After the restart and login everything works. You might still see gnome-keyring-daemon running, but it will no longer interfer with your .profile started ssh-agent.
