You were suffering from the following failure:
Agent admitted failure to sign using the key.
This is an unfortunately non-diagnostic message. There are (at least) two classes of issues it could address:
The key is not loaded
For most issues, this means that your ssh-agent
doesn't have any ssh keys loaded that are accepted for your account on the target server. In this case, as noted by @Networker's answer to this question, the solution is rather simple: add the key:
ssh-add
If the key is in a non-default location, you'll need to tell that to ssh-add
:
ssh-add /path/to/key
The agent cannot understand the key
This was GNOME bug 754028, resolved in Seahorse 3.29.90 (stable 3.30 released 2018-09-03, included in Ubuntu 18.10, Fedora 29, and probably Red Hat/CentOS 9). Seahorse before 3.29.90 (and therefore GNOME Keyring) could neither create nor add new key types like ed25519 and keys generated with ssh-keygen -o -a 100
(as suggested by the Secure Secure Shell tutorial).
Diagnosis of this problem:
ssh myserver
fails with "ssh Agent admitted failure"
SSH_AUTH_SOCK= ssh myserver
works just fine
- Conclusion:
gnome-keyring
can't deal with complex keys
As I just found a viable workaround for this bug, and it doesn't seem to be published anywhere (except the comment I just added to an Ubuntu bug), I'll put it here.
Workaround: Launch a new ssh-agent
using the same socket as the one from gnome-keyring
:
ssh-agent -a $SSH_AUTH_SOCK
This launches a new instance of ssh-agent
(overwriting GNOME's less capable instance), so it won't have any keys in it (despite what seahorse
says, since that's tied to the old agent). You'll have to add them via ssh-add
as noted in the The key is not loaded section above.
You'll have to run this every time you log in (or manually add it to your startup scripts). If you want to preserve the old socket, run mv $SSH_AUTH_SOCK $SSH_AUTH_SOCK.broken
first.
.ssh
and everything under it should be owned by the user (in this case 'storm') and only the user should have permission. chown -R storm ~storm/.ssh; chmod 700 ~storm/.ssh;chmod 600 ~storm/.ssh/authorized_keys
should do the trick.
If you have control over who's able to log into the console, you can get away without the Match
block and the AllowUsers
directive by simply disabling passwords and allowing root login only with a key:
PasswordAuthentication no
PermitRootLogin without-password
Be sure to test this while you have access to the console . . . just in case.
Best Answer
The
-A
option tellsssh-keygen
to generate host keys. According to the manual page, the intended use ofssh-keygen
isThe synopsis lists the
-A
on a line by itself, with no other options:So (aside from modifying the source and compiling it yourself), what you are asking is not its intended use.
Further reading:
ssh-keygen
— authentication key generation, management and conversion