yubikey-agent
yubikey-agent copied to clipboard
SSH: Agent Refused Operation
I have the following two devices:
- Yubikey Nano | Firmware 5.12
- Yubikey 5C NFC | Firmware 5.2.7
My laptop is running Manjaro Linux (Kernel 5.10.70).
Steps taken:
- I have run
yubikey-agent -setup
on each hardware device. No problems, received a public key for each. - I placed the public keys for both of them in the
.ssh/authorized_keys
file onremoteserver
- I added
IdentityAgent /run/user/1000/yubikey-agent/yubikey-agent.sock
to the.ssh/config
entry forremoteserver
on my laptop. -
yubikey-agent
is running and bound to the above socket.
# Yubikey Nano | Firmware 5.12
$ ssh remoteserver
sign_and_send_pubkey: signing failed for ECDSA "YubiKey #XXXXXXXX PIV Slot 9a" from agent: agent refused operation
([email protected]) Password:
# Yubikey 5C NFC | Firmware 5.2.7
ssh remoteserver
sign_and_send_pubkey: signing failed for ECDSA "YubiKey #YYYYYYYY PIV Slot 9a" from agent: agent refused operation
([email protected]) Password:
I'm on Manjaro, and the yubikey-agent
logs are getting dumped into the syslogs. Is there a way to configure where the logs go?
With journalctl | grep yubikey-agent
I see:
Oct 15 13:30:09 laptop yubikey-agent[77531]: 2021/10/15 13:30:09 Reconnecting to the YubiKey...
Oct 15 13:30:09 laptop yubikey-agent[77531]: 2021/10/15 13:30:09 agent 11: could not reach YubiKey: selecting piv applet: command failed: transmitting request: an attempt was made to end a non-existent transaction
Oct 15 13:30:25 laptop yubikey-agent[77531]: 2021/10/15 13:30:25 Reconnecting to the YubiKey...
Oct 15 13:30:25 laptop yubikey-agent[77531]: 2021/10/15 13:30:25 agent 11: could not reach YubiKey: connecting to smart card: the smart card cannot be accessed because of other connections outstanding
Oct 15 13:30:36 laptop yubikey-agent[77531]: 2021/10/15 13:30:36 Reconnecting to the YubiKey...
Oct 15 13:30:36 laptop yubikey-agent[77531]: 2021/10/15 13:30:36 agent 13: pin prompt: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>
I'm not really sure what else to do with this. Did I miss a step? At what point is it supposed to ask me for pin entry? I'm surprised also that it is using ECC with the 5.12 firmware device which is said not to support ECC. I'm not sure how the key generation succeeded there.
Maybe related: https://github.com/FiloSottile/yubikey-agent/issues/6, https://github.com/FiloSottile/yubikey-agent/issues/32
There was a recent upgrade to the piv-go
dependency, from which these error messages originate. Does this still fail against the latest version (you'll need to have Go installed and do go install filippo.io/yubikey-agent@f35f7d1754893ab74970e9a72909b7901d2e1718
to get the specific version)?
I'm in the same boat, as a temporary workaround run:
eval ssh-agent
- markdown, back ticks around ssh-agent
i got two devices YubiKey 5C NFC Firmware: 5.4.3
ssh [email protected]
sign_and_send_pubkey: signing failed for RSA "YubiKey #17110102 PIV Slot 9a" from agent: agent refused operation
[email protected]: Permission denied (publickey).
YubiKey NEO Firmware: 3.4.3
ssh [email protected]
Linux server.test 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64
Last login: Wed Nov 17 06:21:51 2021 from user.test
i have tested with the filippo.io/yubikey-agent@f35f7d1754893ab74970e9a72909b7901d2e1718
- still the same issue, just with 5C NFC device.
Hi,
same issue here with a Yubikey 5 NFC. Firmware is 5.4.3.
systemctl --user status yubikey-agent show this error :
déc. 07 18:27:34 Desktop yubikey-agent[1852]: 2021/12/07 18:27:34 Reconnecting to the YubiKey...
déc. 07 18:27:42 Desktop yubikey-agent[1852]: 2021/12/07 18:27:42 agent 13: pin prompt: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>
It did work when I set it up... :/
After some test, reboot doesn't solve the issue, but disabling and re-enabling yubikey-agent service seems to work ?! I'll try to do more in depth testing :).
Same issue here, restarting & disable/enabling the yubikey-agent did not solve the problem.
I've built from main
and now the error I get is:
agent 13: pin prompt: pinentry: unexpected response: "S ERROR curses.isatty 83918950 "
Try this : open a terminal, unplug your Yubikey, replug, wait a few second and replug. It works for me. It was GPG agent that was hijacking the key
If gpg-agent
is taking a transaction you might be able to stop it doing that by adding disable-scdaemon
to gpg-agent.conf
.
I'm running into this issue only when running yubikey-agent using systemd. If I stop the systemd service and run yubikey-agent -l /run/user/1000/yubikey-agent/yubikey-agent.sock
from a terminal then it works correctly. I got it working by adding
Environment="DISPLAY=:0"
Environment="XAUTHORITY=/home/sebastian/.Xauthority"
to the systemd service. Not sure why it wasn't able to pick that up automatically or if there's a cleaner way to solve the issue.
Probably also related to #92.
I get the error even when running yubikey-agent
manually. I'm also told this (directly from the agent):
2022/09/15 10:49:25 agent 27: ssh: parse error in message type 27
2022/09/15 10:49:25 Connecting to the YubiKey...
2022/09/15 10:49:26 agent 13: pin prompt: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>
go install filippo.io/yubikey-agent@f35f7d1754893ab74970e9a72909b7901d2e1718
this have solve my issue
My workaround (WSL2 + Ubuntu on Windows) for this issue (or a related one, I also got the S ERROR curses.isatty 83918950
error) was to install pinentry-gtk-2
and fake a TTY and display for it by adding the following two environment variables to its systemd config:
[Service]
Environment=DISPLAY=:0
Environment=GPG_TTY=/dev/pts/1
Hello,
I encountered the same errors (S ERROR curses.isatty 83918950
and connecting to smart card: the smart card cannot be accessed because of other connections outstanding
). Thanks for providing help here!
In my case, yubikey-agent worked fine after enabling/disabling the service or a restart of the service after a reboot. I came to the conclusion that some ressource seems not to be available at the start of the service. I tried pcscd.socket
and pcscd.service
and they are not the problem.
However, the following line in the service file helped:
[Service]
ExecStartPre=/bin/sleep 10
After that everything works fine. I don't understand what resource might be missing as the yubikey-agent service starts in user context, so everything else should already be started.