We checked what actually is the backend that the "ssh-add -c" is trying to reach. First we thought that should be the ssh-agent spawned for gnome-keyring-daemon [1]
In PS that is visible as: 1 1000 4029 1 20 0 656132 15860 - SLl ? 0:24 /usr/bin/gnome-keyring-daemon --daemonize --login 0 1000 26372 4029 20 0 11304 3696 - S ? 0:00 \_ /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh Note: there is also another ssh-agent running: 0 1000 4047 4036 20 0 568216 14944 poll_s Sl+ tty2 0:00 \_ /usr/lib/gnome-session/gnome-session-binary --session=ubuntu 1 1000 4146 4047 20 0 11304 320 - Ss ? 0:00 \_ /usr/bin/ssh-agent /usr/bin/im-launch env GNOME_SHELL_SESSION_MODE=ubuntu gnome-session --session=ubuntu That binary is the one of the openssh package that we have proven before to work fine.: $ dpkg -S /usr/bin/ssh-agent openssh-client: /usr/bin/ssh-agent But it is interesting that it uses -a /run/user/1000/keyring/.ssh But the env var is actually different (no . in the filename): $ echo $SSH_AUTH_SOCK /run/user/1000/keyring/ssh But look at the ownership of the socket that we found in the env var: $ sudo lsof +fg /run/user/1000/keyring/ssh COMMAND PID USER FD TYPE FILE-FLAG DEVICE SIZE/OFF NODE NAME gnome-key 4029 paelzer 14u unix RW,ND,0x80000 0xffff910ac4316800 0t0 130189 /run/user/1000/keyring/ssh type=STREAM So while there is a real /usr/bin/ssh-agent running the actual socket that the env variable points to is actually owned by gnome-keyring process. Above we have proven that with a classic ssh-agent it works fine (comment #6). The bug task for openssh is invalid for now due to that. Maybe the gnome-keyring backend doesn't even have the -c feature [1] doesn't list it - then it would be a feature request there. But in any case we need to re-triage that at gnome-keyring, so that is the package I'm adding a bug task for. [1]: https://wiki.gnome.org/Projects/GnomeKeyring/Ssh -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-keyring in Ubuntu. https://bugs.launchpad.net/bugs/1812247 Title: ssh-askpass(-gnome) fails for ssh-add -c: agent refused operation Status in gnome-keyring package in Ubuntu: New Status in openssh package in Ubuntu: Invalid Bug description: Ubuntu uses ssh-agent from OpenSSH which supports adding keys by means of `ssh-add -c` indicating that keys "should be subject to confirmation before being used for authentication. In Ubuntu 18.10 this fails with the error sign_and_send_pubkey: signing failed: agent refused operation To reproduce I used a Ubuntu 18.10 Live "CD", apt-get update && apt- get upgrade, log out and log back in (these steps are not required but we want to use an up-to-date system). Then: $ sudo apt-get install ssh-askpass-gnome (...) $ # verify that ssh-askpass shows a popup, confirm with Enter $ ssh-askpass ; echo $? 0 $ ssh-keygen (...) $ ssh-add -D All identities removed. $ ssh-copy-id $sshuser@$sshserver (...) Number of key(s) added: 1 (...) $ ssh $sshuser@$sshserver uname -a Linux server 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux $ ssh-add -d Identity removed: /home/ubuntu/.ssh/id_rsa (ubuntu@ubuntu) $ ssh-add -c Enter passphrase for /home/ubuntu/.ssh/id_rsa (will confirm each use): Identity added: /home/ubuntu/.ssh/id_rsa (/home/ubuntu/.ssh/id_rsa) The user must confirm each use of the key $ ssh $sshuser@$sshserver uname -a sign_and_send_pubkey: signing failed: agent refused operation sshuser@server's password: [^C'ed] $ ssh-add -l 2048 SHA256:yvAFsTpkNWnlrQyCp+tWV83dIF8Je3AksM0o+Ajvyyc /home/ubuntu/.ssh/id_rsa (RSA) So, our key is loaded, ssh-askpass is working (also confirmed with `ssh-add -c </dev/null`), but authentication fails with "sign_and_send_pubkey: signing failed: agent refused operation". ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: gnome-session-bin 3.30.0-0ubuntu4 ProcVersionSignature: Ubuntu 4.18.0-10.11-generic 4.18.12 Uname: Linux 4.18.0-10-generic x86_64 ApportVersion: 2.20.10-0ubuntu13.1 Architecture: amd64 CasperVersion: 1.399 CurrentDesktop: ubuntu:GNOME Date: Thu Jan 17 17:14:35 2019 ExecutablePath: /usr/lib/gnome-session/gnome-session-binary LiveMediaBuild: Ubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.3) ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=C.UTF-8 SHELL=/bin/bash SourcePackage: gnome-session UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1812247/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp