russh icon indicating copy to clipboard operation
russh copied to clipboard

Published 20 hours ago verified publisher icon warp-tech

Authorization fails when using an ssh-agent

Open eminence opened this issue 11 months ago • 4 comments

I'm trying to use a key loaded into an ssh-agent for authentication. This is not working. However, the key works when loaded from disk using load_secret_key.

I generated a new RSA key with ssh-keygen.

Here's the fingerprint of the key:

❯ ssh-keygen -lf lxd_deleteme
2048 SHA256:dd8u94XvU0tJfdPiL/YpU4G0SHNBDJBvrP/6T8HVLO8 lxd@lin-lxd01sim (RSA)

I've also loaded it into an ssh-agent. The ssh-agent reports the identical fingerprint:

❯ ssh-add -l
2048 SHA256:dd8u94XvU0tJfdPiL/YpU4G0SHNBDJBvrP/6T8HVLO8 ./lxd_deleteme (RSA)

I'm connecting to the ssh-agent like this:

let mut agent = russh_keys::agent::client::AgentClient::connect_env().await.unwrap();
let mut identities = agent.request_identities().await.unwrap();
assert_eq!(identities.len(), 1); 
let id = identities.pop().unwrap();
println!("Key from ssh-agent: {} {}", id.name(), id.fingerprint());

And I'm loading the key from disk like this:

 let key_pair = load_secret_key("lxd_deleteme", None).unwrap();

I first try authentication using authenticate_future and then fallback to authenticate_publickey.

Here's what the full code looks like:

#[tokio::main]
async fn main() {
    env_logger::init();
    let config = russh::client::Config::default();
    let config = Arc::new(config);
    let sh = Client {};
    let host = "127.0.0.1";

    let mut agent = russh_keys::agent::client::AgentClient::connect_env().await.unwrap();
    let mut identities = agent.request_identities().await.unwrap();

    assert_eq!(identities.len(), 1);
    let id = identities.pop().unwrap();
    println!("Key from ssh-agent: {} {}", id.name(), id.fingerprint());

    let key_pair = load_secret_key("lxd_deleteme", None).unwrap();
    if let russh_keys::key::KeyPair::RSA { key, hash } = &key_pair {
        println!("Key loaded from disk: hash={hash:?}");
    }

    let mut session = russh::client::connect(config, (host, 22), sh).await.unwrap();
    println!("Connected!");

    // first try with agent auth
    let (_, auth_res) = session.authenticate_future("root", id, agent).await;
    let auth_res = auth_res.unwrap();
    dbg!(auth_res);
    if !auth_res {
        println!("Auth failed using ssh-agent, trying key from disk");
    }
    let auth_res = session
        .authenticate_publickey("root", Arc::new(key_pair))
        .await
        .unwrap();
    dbg!(auth_res);

    println!("=== auth: {}", auth_res);
}

And here's the output:

Key from ssh-agent: rsa-sha2-512 dd8u94XvU0tJfdPiL/YpU4G0SHNBDJBvrP/6T8HVLO8
Key loaded from disk: hash=SHA2_256
check_server_key: e17SK8zBaPtvQBpIcnt534kbxe2Mhi0tr5XOc/FUR/E
Connected!
src/main.rs:52] auth_res = false
Auth failed using ssh-agent, trying key from disk
src/main.rs:60] auth_res = true
=== auth: true

Any suggestions about what's going wrong, or how to debug this?

Version info

I'm using russh e5f12248359e9b2a3aed3420c02fbfbb6e4dca84

eminence avatar Sep 22 '23 21:09 eminence

I'm not familiar with russh's code, but I'm hoping to find some time to dig into this issue in the coming weeks. If anyone has any hints about how to debug this, please let me know

eminence avatar Oct 06 '23 19:10 eminence

Running with RUST_LOG=debug should give a detailed trace of what's going on.

Eugeny avatar Oct 06 '23 19:10 Eugeny

I tried that, but unfortunately the result wasn't that enlightening to me. Would it be useful if I uploaded the debug traces to this issue, though?

eminence avatar Oct 06 '23 20:10 eminence

Definitely!

Eugeny avatar Oct 06 '23 21:10 Eugeny