Ubuntu-budgie 18.04 agent refused operation when trying to ssh with public key

Question

When I try to ssh using rsa key pair, I get the following error:

debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:2zjgjRVRDdbdfmjqip0o7M5vGXRmdH1vIvT88rrF3yE /home/home/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp SHA256:2zjgjRVRDdbdfmjqip0o7M5vGXRmdH1vIvT88rrF3yE
debug3: sign_and_send_pubkey: RSA SHA256:2zjgjRVRDdbdfmjqip0o7M5vGXRmdH1vIvT88rrF3yE
sign_and_send_pubkey: signing failed: agent refused operation

This does not happen if I try to login from the server machine to itself. It happens if I use other machines. I'm running Ubuntu Budgie on both server and client machines. The permissions for home and .ssh folder are set to 700 and for authorized_keys set to 600.
Here is a copy of my ssh server configuration (sshd_config):

#   $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp
# This is the sshd server system-wide configuration file.  See
sshd_config(5) for more information.
This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible, but leave them commented.  Uncommented options override the
default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers and keying
#RekeyLimit default none
Logging
#SyslogFacility AUTH
#LogLevel INFO
Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile  .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
Change to yes if you don't trust ~/.ssh/known_hosts for
HostbasedAuthentication
#IgnoreUserKnownHosts no
Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
Change to yes to enable challenge-response passwords (beware issues with
some PAM modules and threads)
ChallengeResponseAuthentication no
Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
Set this to 'yes' to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication.  Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of "PermitRootLogin without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
no default banner path
#Banner none
Allow client to pass locale environment variables
AcceptEnv LANG LC_*
override default of no subsystems
Subsystem   sftp    /usr/lib/openssh/sftp-server
Example of overriding settings on a per-user basis
#Match User anoncvs
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand cvs server

Possibly related? Ubuntu 16.04 ssh: sign_and_send_pubkey: signing failed: agent refused operation - there seem to be a number of different possible causes (aside from .ssh permissions, which you already checked) — steeldriver, Jan 06 '19 at 19:22

score 6 · Answer 1 · answered Jan 07 '19 at 09:16

6

It might caused by the permissions of the ssh key being too open. The following command might fix the problem

chmod 600 .ssh/id_rsa

If not try with command

ssh-add

answered Jan 07 '19 at 09:16

Bhakti Bhoj

71
2

Ubuntu-budgie 18.04 agent refused operation when trying to ssh with public key

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

Ciphers and keying

Logging

Authentication:

Expect .ssh/authorized_keys2 to be disregarded by default in future.

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

Change to yes if you don't trust ~/.ssh/known_hosts for

HostbasedAuthentication

Don't read the user's ~/.rhosts and ~/.shosts files

To disable tunneled clear text passwords, change to no here!

Change to yes to enable challenge-response passwords (beware issues with

some PAM modules and threads)

Kerberos options

GSSAPI options

Set this to 'yes' to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of "PermitRootLogin without-password".

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to 'no'.

no default banner path

Allow client to pass locale environment variables

override default of no subsystems

Example of overriding settings on a per-user basis

X11Forwarding no

AllowTcpForwarding no

PermitTTY no

ForceCommand cvs server

1 Answers1