Ubuntu – What could be the reason, that private keys are not unlocked

17.10passwordseahorsesshssh-agent

Since I updated to Ubuntu 17.10 a while ago, my private keys – the which I use for example to access my server via ssh – are not unlocked programmatically after login anymore.

My understanding is, that usually the seahorse client should take care of this, by asking you whether or not to store the key's password when typing them in for the first time.

My first guess was, that seahorse-daemon wasn't running for some reason, but it is:

user@Zeus:~$ ps aux | grep seahorse
user    19170  0.0  0.1 432636 26564 ?        Ss   00:07   0:00 seahorse-daemon

My second guess was, that for some reason I have to delete all related passwords stored in seahorse under »Passwords->login«:

I was hoping to force the client to ask me again and then storing them again. But this didn't help either. The client does not pop up to ask me…

Then I found this question, which could be related, but did not help me:
Unlock all private keys on Ubuntu, entering password only once at login

As the management of other passwords work as expected (for example passwords for nautilus, Chromium, Nextcloud etc.) I assume the problem has to do something with ssh-agent…

Can anybody hint me in the right directions, how to solve this problem? Has anything changed in the way how GNOME handles passwords? Maybe some new fancy program failed being installed during the upgrade process?

UPDATE
When I add the private key to the authentication agent again with:

ssh-add ~/.ssh/id_rsa

and try to log in, I will be asked to unlock the key only once, after that the key gets unlocked programmatically. But this works only until the next reboot. After a fresh start, I have to add the key again…

Best Answer

Yes, ssh-agent is the answer. To save the passphrase, all you have to do is:

ssh-add ~/.ssh/id_rsa

Then put in your password, and log back in.

Related Solutions

Ubuntu – Unlock all private keys on Ubuntu, entering password only once at login

1) After Creating the Public Key By Following,

The first step involves creating a set of RSA keys for use in authentication. This should be done on the client. To create your public and private SSH keys on the command-line:

mkdir ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -t rsa

You will be prompted for a location to save the keys, and a passphrase for the keys. This passphrase will protect your private key while it's stored on the hard drive and be required to use the keys every time you need to login to a key-based system:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/b/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/b/.ssh/id_rsa.
Your public key has been saved in /home/b/.ssh/id_rsa.pub.

2) You must add your private key (might be not secure) but still you can do this,

ssh-add ~/.ssh/id_rsa

Source From Ubuntu Wiki.

Ubuntu – Which private keys are tested by ssh without configuration

The ssh client will check all your keys until it finds one that matches.

This is how it works (this is very simplified, before this a quite complex dance has been made to encrypt all of this):

The server creates an auth token.
The token is encrypted using your public key on the server.
The server send the encrypted token to the client.
The client tries to decrypt the token, using all known private keys.
If it is successful it will send the decrypted token back to the server.
If the token matchs the server will let the client in.

What files are keys depends on the client.

For the Openssh client (Ubuntu default client), according to its man page, the files that are supposed to be private keys are ./sshid_rsa, .ssh/id_dsa, .ssh/id_ecdsa, plus those given after the -i flag (it supports multiple files) and those declared in the config file.

You can give it the -v option to make it print a line when it tries to use any file as a key. This is an example from a non-key login:

$ ssh -v www.hostremoved.com
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
<...>
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/javier/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/javier/.ssh/id_dsa
debug1: Trying private key: /home/javier/.ssh/id_ecdsa
debug1: Next authentication method: password
<...>

As you can see, it prints all the keys it tries, it fails all. You can use this in your system to discover what files is ssh using in your own system.

Below you can see the output if some existing key is found and tried

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: user@xyz

user@xyz is the information appended to the public key.

If you're wondering how your ssh client finds your private keys, it's not magic. Under Gnome (xfce and KDE also) there is a special ssh-agent that automatically adds keys in .ssh directory that have a correspondending public key with the ending .pub.

If you not have such a comfortable ssh agent, you'll have to add your private keys with ssh-add key.

Best Answer

Related Solutions

Ubuntu – Unlock all private keys on Ubuntu, entering password only once at login

Ubuntu – Which private keys are tested by ssh without configuration

Related Question