yubikey-agent icon indicating copy to clipboard operation
yubikey-agent copied to clipboard

Published 20 hours ago verified publisher icon FiloSottile

SSH: Agent Refused Operation

Open bitmage opened this issue 2 years ago • 15 comments

I have the following two devices:

  • Yubikey Nano | Firmware 5.12
  • Yubikey 5C NFC | Firmware 5.2.7

My laptop is running Manjaro Linux (Kernel 5.10.70).

Steps taken:

  1. I have run yubikey-agent -setup on each hardware device. No problems, received a public key for each.
  2. I placed the public keys for both of them in the .ssh/authorized_keys file on remoteserver
  3. I added IdentityAgent /run/user/1000/yubikey-agent/yubikey-agent.sock to the .ssh/config entry for remoteserver on my laptop.
  4. yubikey-agent is running and bound to the above socket.
# Yubikey Nano | Firmware 5.12
$ ssh remoteserver
sign_and_send_pubkey: signing failed for ECDSA "YubiKey #XXXXXXXX PIV Slot 9a" from agent: agent refused operation
([email protected]) Password:

# Yubikey 5C NFC | Firmware 5.2.7
ssh remoteserver
sign_and_send_pubkey: signing failed for ECDSA "YubiKey #YYYYYYYY PIV Slot 9a" from agent: agent refused operation
([email protected]) Password:

I'm on Manjaro, and the yubikey-agent logs are getting dumped into the syslogs. Is there a way to configure where the logs go?

With journalctl | grep yubikey-agent I see:

Oct 15 13:30:09 laptop yubikey-agent[77531]: 2021/10/15 13:30:09 Reconnecting to the YubiKey...
Oct 15 13:30:09 laptop yubikey-agent[77531]: 2021/10/15 13:30:09 agent 11: could not reach YubiKey: selecting piv applet: command failed: transmitting request: an attempt was made to end a non-existent transaction
Oct 15 13:30:25 laptop yubikey-agent[77531]: 2021/10/15 13:30:25 Reconnecting to the YubiKey...
Oct 15 13:30:25 laptop yubikey-agent[77531]: 2021/10/15 13:30:25 agent 11: could not reach YubiKey: connecting to smart card: the smart card cannot be accessed because of other connections outstanding
Oct 15 13:30:36 laptop yubikey-agent[77531]: 2021/10/15 13:30:36 Reconnecting to the YubiKey...
Oct 15 13:30:36 laptop yubikey-agent[77531]: 2021/10/15 13:30:36 agent 13: pin prompt: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>

I'm not really sure what else to do with this. Did I miss a step? At what point is it supposed to ask me for pin entry? I'm surprised also that it is using ECC with the 5.12 firmware device which is said not to support ECC. I'm not sure how the key generation succeeded there.

bitmage avatar Oct 15 '21 20:10 bitmage

Maybe related: https://github.com/FiloSottile/yubikey-agent/issues/6, https://github.com/FiloSottile/yubikey-agent/issues/32

bitmage avatar Oct 15 '21 20:10 bitmage

There was a recent upgrade to the piv-go dependency, from which these error messages originate. Does this still fail against the latest version (you'll need to have Go installed and do go install filippo.io/yubikey-agent@f35f7d1754893ab74970e9a72909b7901d2e1718 to get the specific version)?

deuill avatar Oct 18 '21 11:10 deuill

I'm in the same boat, as a temporary workaround run: eval ssh-agent

  • markdown, back ticks around ssh-agent

terrell-r avatar Oct 19 '21 03:10 terrell-r

i got two devices YubiKey 5C NFC Firmware: 5.4.3

ssh [email protected]
sign_and_send_pubkey: signing failed for RSA "YubiKey #17110102 PIV Slot 9a" from agent: agent refused operation
[email protected]: Permission denied (publickey).

YubiKey NEO Firmware: 3.4.3

ssh [email protected]
Linux server.test 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64
Last login: Wed Nov 17 06:21:51 2021 from user.test

i have tested with the filippo.io/yubikey-agent@f35f7d1754893ab74970e9a72909b7901d2e1718 - still the same issue, just with 5C NFC device.

KristijanL avatar Nov 24 '21 11:11 KristijanL

Hi,

same issue here with a Yubikey 5 NFC. Firmware is 5.4.3.

systemctl --user status yubikey-agent show this error :

déc. 07 18:27:34 Desktop yubikey-agent[1852]: 2021/12/07 18:27:34 Reconnecting to the YubiKey...
déc. 07 18:27:42 Desktop yubikey-agent[1852]: 2021/12/07 18:27:42 agent 13: pin prompt: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>

It did work when I set it up... :/

Spitfireap avatar Dec 07 '21 17:12 Spitfireap

After some test, reboot doesn't solve the issue, but disabling and re-enabling yubikey-agent service seems to work ?! I'll try to do more in depth testing :).

Spitfireap avatar Dec 09 '21 19:12 Spitfireap

Same issue here, restarting & disable/enabling the yubikey-agent did not solve the problem.

aaomidi avatar Mar 16 '22 20:03 aaomidi

I've built from main and now the error I get is:

agent 13: pin prompt: pinentry: unexpected response: "S ERROR curses.isatty 83918950 "

aaomidi avatar Mar 16 '22 20:03 aaomidi

Try this : open a terminal, unplug your Yubikey, replug, wait a few second and replug. It works for me. It was GPG agent that was hijacking the key

Spitfireap avatar Mar 16 '22 21:03 Spitfireap

If gpg-agent is taking a transaction you might be able to stop it doing that by adding disable-scdaemon to gpg-agent.conf.

smlx avatar Mar 17 '22 00:03 smlx

I'm running into this issue only when running yubikey-agent using systemd. If I stop the systemd service and run yubikey-agent -l /run/user/1000/yubikey-agent/yubikey-agent.sock from a terminal then it works correctly. I got it working by adding

Environment="DISPLAY=:0"
Environment="XAUTHORITY=/home/sebastian/.Xauthority"

to the systemd service. Not sure why it wasn't able to pick that up automatically or if there's a cleaner way to solve the issue.

Probably also related to #92.

sebastianblunt avatar Aug 20 '22 10:08 sebastianblunt

I get the error even when running yubikey-agent manually. I'm also told this (directly from the agent):

2022/09/15 10:49:25 agent 27: ssh: parse error in message type 27
2022/09/15 10:49:25 Connecting to the YubiKey...
2022/09/15 10:49:26 agent 13: pin prompt: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>

fosskers avatar Sep 15 '22 01:09 fosskers

go install filippo.io/yubikey-agent@f35f7d1754893ab74970e9a72909b7901d2e1718

this have solve my issue

NA3 avatar Oct 12 '22 09:10 NA3

My workaround (WSL2 + Ubuntu on Windows) for this issue (or a related one, I also got the S ERROR curses.isatty 83918950 error) was to install pinentry-gtk-2 and fake a TTY and display for it by adding the following two environment variables to its systemd config:

[Service]
Environment=DISPLAY=:0
Environment=GPG_TTY=/dev/pts/1

upsj avatar Jul 11 '23 18:07 upsj

Hello,

I encountered the same errors (S ERROR curses.isatty 83918950 and connecting to smart card: the smart card cannot be accessed because of other connections outstanding). Thanks for providing help here!

In my case, yubikey-agent worked fine after enabling/disabling the service or a restart of the service after a reboot. I came to the conclusion that some ressource seems not to be available at the start of the service. I tried pcscd.socket and pcscd.service and they are not the problem.

However, the following line in the service file helped:

[Service]
ExecStartPre=/bin/sleep 10

After that everything works fine. I don't understand what resource might be missing as the yubikey-agent service starts in user context, so everything else should already be started.

mutlusun avatar Feb 09 '24 07:02 mutlusun