Yubikey + SSH Keys + xubuntu
So I have a yubikey with my SSH private key on them with a PIN.
When trying to SSH to a host on xubuntu with my Yubikey in it's USB port, ssh won't use the key. It does find the key, but it exits everytime with the error "sign_and_send_pubkey: signing failed for ECDSA-SK "" from agent: agent refused operation".
A post[1] on superuser.com has a potential fix. The problem is that the ssh-agent doesn't know how to ask you for your PIN.
Fixing this is making sure ssh-agent knows how to execute 'ssh-askpass' (you might need to apt-get install it first), so it can ask the PIN. When running the following, everything start to work:
eval "$(ssh-agent -s; SSH_ASKPASS=/usr/bin/ssh-askpass)"
However if you want this to permanent, you would try to stick it in your .bashrc or .profile.
To prevent multiple ssh-agents running when opening multiple terminals (.bashrc gets ran every time you open a terminal), I decided to put it in .profile. And here is where it goes wrong.
Apparantly gnome-keyring-daemon runs after executing .profile to fork it's ssh-agent. This will overwrite SSH_AUTH_SOCK environment, and we're stuck again with the gnome-keyring-daemon ssh-agent, which does not know how to execute ssh-askpass.
On xubuntu you need to do the following:
- Open xfce4-session-settings
- Go to the tab 'advanced'
- Disable 'Launch GNOME services on startup'
- Restart your system (a logout will still keep systemd running all backend services)
After the restart and login everything works. You might still see gnome-keyring-daemon running, but it will no longer interfer with your .profile started ssh-agent. However this will disable all gnome keyring services, so other applications cannot store secrets that rely on this. A better way to do this is the following:
Create the following files in ~/.config/autostart
- gnome-keyring-pkcs11.desktop
- gnome-keyring-secrets.desktop
There content should be:
[Desktop Entry] X-XFCE-Autostart-Override=true
Now create a 3rd file called gnome-keyring-ssh.desktop. It's contents should be:
[Desktop Entry] Type=Application Name=SSH Key Agent Hidden=true X-GNOME-Autostart-enabled=false
Now disable the gnome services in xfce4-session-settings as above, or execute the following command:
xfconf-query -c xfce4-session -p /compat/LaunchGNOME -t 'bool' -s 'false'
Some forum posts I've seen that adding the gnome-keyring-ssh.desktop also works for GNOME. I've posted this fix on reddit, so follow that one to see if it also works for GNOME.
After all of this you should add the statement to your .profile, and everything should work (a reboot might be necessary)
Now you could move the ssh-agent execution to .bashrc, but then in gnome it would spin an ssh-agent per terminal and you have to ssh-add -K in every terminal. Ofcourse disabling gnome-keyring completely is one working option but this will potentially also break other things.
