Bug 436529

Summary: ssh-add fails to add to .ssh/identify
Product: [Fedora] Fedora Reporter: Ulrich Drepper <drepper.fsp>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-01 07:23:18 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Ulrich Drepper 2008-03-07 13:50:19 EST
Description of problem:
When running the ssg-add command in rawhide I see the following error:

Enter passphrase for /home/drepper/.ssh/id_dsa: 
Identity added: /home/drepper/.ssh/id_dsa (/home/drepper/.ssh/id_dsa)
SSH_AGENT_FAILURE
SSH_AGENT_FAILURE
Could not add identity: /home/drepper/.ssh/identity


The permissions on the files are fine:

-rw------- 1 drepper drepper  736 2001-02-01 18:13 id_dsa
-rw-rw-r-- 1 drepper drepper  610 2001-02-01 18:13 id_dsa.pub
-rw------- 1 drepper drepper  535 2000-10-21 12:17 identity
-rw-rw-r-- 1 drepper drepper  339 2000-10-21 12:17 identity.pub


The only noteworthy thing is that the .ssh directory is on a memory card which
is formatted as ext2 and encrypted through dm.  This never made a difference
before, though, and the id_dsa access worked.

Version-Release number of selected component (if applicable):
openssh-clients-4.7p1-9.fc9.x86_64

How reproducible:
always

Steps to Reproduce:
1.run ssh-add
2.
3.
  
Actual results:
above messages

Expected results:
no message except positive feedback about added identities

Additional info:
Comment 1 Tomas Mraz 2008-03-07 14:05:47 EST
Do you have SELinux on and enforcing? Could you try temporarily switching it to
permissive? If that helps, do you see any AVCs?

If it is not a SELinux denial, when did it start to fail? Previous rawhide
openssh releases worked fine?

Also you could try to run the ssh-agent in debug mode (-d) and see whether it
gives some messages.
Comment 2 Ulrich Drepper 2008-03-07 14:52:12 EST
(In reply to comment #1)
> Do you have SELinux on and enforcing? Could you try temporarily switching it to
> permissive? If that helps, do you see any AVCs?

SELinux is not a factor, I'd have seen the AVC.


> If it is not a SELinux denial, when did it start to fail? Previous rawhide
> openssh releases worked fine?

It started when I updated the machine from F8 to rawhide during this week.


> Also you could try to run the ssh-agent in debug mode (-d) and see whether it
> gives some messages.

-d is no debug mode it removes identities.


What I did is run ssh-add under strace.  The results are the same.  What is
strange is that no file operation fails.  I.e., it is an internal error.  I know
with 100% certainty the ssh-add didn't fail with the F8 code.  Whether or not
the RSA based key worked I don't know.  I don't know whether it is used.

Anyway here is the relevant part of the strace output.  I cut out the private
key data.

write(2, "Identity added: /home/drepper/.ssh/id_dsa
(/home/drepper/.ssh/id_dsa)\n", 70) = 70
stat("/home/drepper/.ssh/identity", {st_mode=S_IFREG|0600, st_size=535, ...}) = 0
open("/home/drepper/.ssh/identity", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0600, st_size=535, ...}) = 0
getuid()                                = 500
close(4)                                = 0
open("/home/drepper/.ssh/identity", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0600, st_size=535, ...}) = 0
getuid()                                = 500
fstat(4, {st_mode=S_IFREG|0600, st_size=535, ...}) = 0
read(4, "SSH PRIVATE KEY FILE FORMAT 1.1\n\"..., 535) = 535
lseek(4, 0, SEEK_SET)                   = 0
fstat(4, {st_mode=S_IFREG|0600, st_size=535, ...}) = 0
read(4, "SSH PRIVATE KEY FILE FORMAT 1.1\n"..., 535) = 535
close(4)                                = 0
open("/home/drepper/.ssh/identity", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0600, st_size=535, ...}) = 0
getuid()                                = 500
fstat(4, {st_mode=S_IFREG|0600, st_size=535, ...}) = 0
read(4, "SSH PRIVATE KEY FILE FORMAT 1.1\n"..., 535) = 535
lseek(4, 0, SEEK_SET)                   = 0
fstat(4, {st_mode=S_IFREG|0600, st_size=535, ...}) = 0
read(4, "SSH PRIVATE KEY FILE FORMAT 1.1\n"..., 535) = 535
close(4)                                = 0
write(3, "\0\0\1\352", 4)               = 4
write(3, "\7\0\0\4"..., 490) = 490
read(3, "\0\0\0\1", 4)                  = 4
read(3, "\5", 1)                        = 1
write(2, "SSH_AGENT_FAILURE\r\n", 19)   = 19
write(3, "\0\0\1\352", 4)               = 4
write(3, "\7\0\0\4"..., 490) = 490
read(3, "\0\0\0\1", 4)                  = 4
read(3, "\5", 1)                        = 1
write(2, "SSH_AGENT_FAILURE\r\n", 19)   = 19
write(2, "Could not add identity: /home/drepper/.ssh/identity\n", 52) = 52
close(3)                                = 0


File descriptor 3 is a socket.
Comment 3 Tomas Mraz 2008-03-07 17:19:55 EST
(In reply to comment #2)
> (In reply to comment #1)
> > Do you have SELinux on and enforcing? Could you try temporarily switching it to
> > permissive? If that helps, do you see any AVCs?
> 
> SELinux is not a factor, I'd have seen the AVC.

They might be dontaudited AVCs but from the strace it is clear that the key is
readable so SELinux is really not the source of the problem.

> > Also you could try to run the ssh-agent in debug mode (-d) and see whether it
> > gives some messages.
> 
> -d is no debug mode it removes identities.
I mean ssh-agent -d not ssh-add -d.


Comment 4 Ulrich Drepper 2008-03-09 22:51:49 EDT
Strange.  When I kill the ssh-agent started for the session and then start one
explicitly on a command line (with or without -d), following ssh-add calls work.
 And yes, I've set the environment variable correctly.

What else do you want me to do?
Comment 5 Tomas Mraz 2008-03-10 11:15:55 EDT
(In reply to comment #4)
> What else do you want me to do?
Is the problem still reproduceable when the ssh-agent is now started from the
login session? If yes perhaps stracing it could give some hints...

I have seen some reports where the ssh-agent started to become unresponsive and
it worked again after being restarted unfortunately I have never seen this
failure myself although I use ssh-agent regularly.
Comment 6 Bug Zapper 2008-05-14 01:51:48 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Tomas Mraz 2008-10-01 07:23:18 EDT
Apparently it was some intermittent problem and without reproducer I am not able to investigate it further.