`ssh-agent` asks passphrase after it has been added

Question

I'm new to the ssh-agent and encounter what I identify as a "bug".

Situation

I have a passphrase-protected private key.
I want to use the ssh-agent so I do not write the passphrase each time I ssh.
ssh-agent adds the private key (according to ssh-agent -l displaying the private key).
yet when I try to ssh to the remote server with the private key (thanks to the ~/.ssh/config file), the ssh-agent still asks for my passphrase!

Environment

I'm on fedora Linux 4.5.7-202.fc23.x86_64 #1 SMP Tue Jun 28 18:22:51 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux with the ssh version being OpenSSH_7.2p2, OpenSSL 1.0.2h-fips. Here are two sequences that do not work using the (what I think) GNOME 3 keyring agent and the ssh-agent.

Here is the ~/.ssh/config:

 IdentitiesOnly yes
[..]
Host root.w.com
    HostName 92.1.2.3
    User user
    Port 22
    IdentityFile /home/user/.ssh/key-rsa.priv

GNOME 3 keyring agent

user@local:~$ ssh server-key
Enter passphrase for key '/home/user/.ssh/key-rsa.priv': 
You have new mail.
Last login: Sat Aug 13 10:41:46 2016 from some.ip.dot.org
user@remote:~$
Connection to <remote-ip> closed.
user@local:~$ echo $SSH_AUTH_SOCK
/run/user/1000/keyring/ssh
user@local:~$ echo $SSH_AGENT_PID

user@local:~$ ssh-add ~/.ssh/key-rsa.priv
Enter passphrase for /home/user/.ssh/key-rsa.priv: 
Identity added: /home/user/.ssh/key-rsa.priv (/home/user/.ssh/key-rsa.priv)
user@local:~$ ssh-add -l
4096 SHA256:aZl81hzUczH+sX+/5+tCJHln11xqta62RbtzLQt5LKE /home/user/.ssh/key-rsa.priv (RSA)
user@local:~$ ssh server-key 
Enter passphrase for key '/home/user/.ssh/key-rsa.priv': 
✘  user@local:~$

`ssh-agent` agent

user@local:~$ eval $(ssh-agent)  
Agent pid 3169
user@local:~$ echo $SSH_AGENT_PID
3169
user@local:~$ echo $SSH_AUTH_SOCK
/tmp/ssh-nqpXUUf2qNpT/agent.3168
user@local:~$ ssh-add -D
All identities removed.
user@local:~$ ssh-add ~/.ssh/key-rsa.priv
Enter passphrase for /home/user/.ssh/key-rsa.priv: 
Identity added: /home/user/.ssh/key-rsa.priv (/home/user/.ssh/key-rsa.priv)
user@local:~$ ssh server-key 
Enter passphrase for key '/home/user/.ssh/key-rsa.priv': 
✘  user@local:~$

Question

What should I do so the ssh-agent do not ask the passphrase?
Any idea why does these not work?

My issue is similar to this question though I read the answer and the solution did not work for me.

Please also post the appropriate Host section of your ~/.ssh/config, sanitized if you wish. — user4556274, Aug 13 '16 at 14:04
Hmm, stupid question: Does it work without IdentitiesOnly? Also, is the name on your ssh command line (server-key) different from the name in the config (root.w.com) on purpose? — ilkkachu, Aug 21 '16 at 18:02
Sorry for the server-key and root.w.com confusion. It actually the same server and user, the only diff is the algorithm used to generate the keys. Also: I confirm that without the IdentitiesOnly it works ! Just put your comment into an answer, and I'll validate it. Add an explanation and I'll +1 it !! — Auzias, Aug 23 '16 at 17:08
@Auzias, IdentitiesOnly should instruct the client to only use those keys given in IdentityFile commands, but not others the agent may have. Here, though it seems that you are setting the relevant key with IdentityFile, and if that is the case, I don't know why it doesn't work as it should. It's as if the key loaded to the agent was different from the one listed in the config file. And referencing the same key with a different filename isn't enough, the actual key needs to be different for IdentitiesOnly to skip it. — ilkkachu, Aug 24 '16 at 14:44
I see, would you like to post it as an answer so my question can be tagged as answered? — Auzias, Aug 25 '16 at 07:29

score 7 · Answer 1 · answered May 12 '19 at 17:46

7

I just discovered that IdentitiesOnly seems to need the public key on the local machine to works properly.

Without the public key on the local machine, I was always prompted for the passphrase even if the private key was in the agent and of course the public key on the remote machine.

The public key path is the same as the private key path with .pub append.

answered May 12 '19 at 17:46

mperrin

170

I run into exactly this behaviour. Thx for your answer. Both will solve this issue:
1. Add public key files to ~/.ssh or
2. remove/uncomment IdentitiesOnly in ~/.ssh/config
– jokumer Jan 07 '22 at 23:02

score 2 · Accepted Answer · edited Aug 28 '16 at 18:36

2

As @ilkkachu said, the issue is IdentitiesOnly.

In you Host section, just add

IdentitiesOnly no

edited Aug 28 '16 at 18:36

ilkkachu

138,973

answered Aug 28 '16 at 17:33

Wayne Walker

1,043

What if I do no want my ssh client try every single key for each host? – Auzias Aug 29 '16 at 08:09
@Auzias, if you put the above in the root.w.com section of your config, then only root.w.com will use all possible Identities, the rest will still follow your original "IndentitiesOnly yes" directive. – Wayne Walker Aug 30 '16 at 04:24
Can someone explain why ? That drives me nut. it works for me everywhere except on a specific linux server. Why a key added to ssh-agent is not used by the system if IdentitiesOnly is set to yes ??? – mperrin Jun 07 '18 at 15:36