Why does ssh-agent need root access?

7.9k views Asked by At

I've just installed Archbang, and am trying to clone a Git project of mine, which necessitates SSH keys.

I've followed the Github guide to success in the past, on Ubuntu and RedHat boxes, but for some reason it's not working out for me on my new Arch install.

I've successfully generated my SSH public/private key pairs with this command:

ssh-keygen -t rsa -b 4096 -C "email@address"

But when I move on to starting up the SSH agent and adding my public key, I run into issues.

[user@arch ~]$ eval "$(ssh-agent -s)"
bind: Permission denied
unix_listener: cannot bind to path: /tmp/ssh-ZqYqSabxjZeA/agent.9328

This is successful, however, if I run it as root:

[user@arch ~]$ eval "$(sudo ssh-agent -s)"
[sudo] password for user: 
Agent pid 9146

But I'm pretty sure I don't want to be doing SSH things as root.

Continuing forward, when I then try to use ssh-add, I get permissions errors, as well, but this time as both the standard user and root:

[user@arch ~]$ ssh-add .ssh/id_rsa.pub
Could not open a connection to your authentication agent.
[user@arch ~]$ sudo ssh-add .ssh/id_rsa.pub
Could not open a connection to your authentication agent.

So now I'm really confused.

I've tried opening up a bash process as root to do this stuff, but 1) I don't like that idea and 2) it still doesn't work, but this time for a different reason:

[user@arch ~]$ sudo ssh-agent -s
[root@arch ~]# ssh-add .ssh/id_rsa.pub
Enter passphrase for .ssh/id_rsa.pub:
Bad passphrase, try again for .ssh/id_rsa.pub:

For some reason, doing this in a root shell causes my SSH key passphrase to be rejected; I've tried this multiple times, with the simplest of passphrases, so I'm positive I've given it the correct passphrase.

I'm at a loss. I really don't like all this sudo stuff, and I don't know why it seems to be necessary; I've checked the permissions on the .ssh directory and its files, even going as far as deleting the whole directory and regenerating the keys to be sure they aren't being generated with the wrong permissions.

Can someone please help me out here? What am I doing wrong?

EDIT: In response to suggested answers, I have tried this again using a socket location inside my home directory. These are the results:

[user@arch ~]$ mkdir -m 700 ~/.ssh
[user@arch ~]$ ssh-keygen -t rsa -b 4096 -C "email@address"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
...
[user@arch ~]$ chmod 644 .ssh/id_rsa.pub && chmod 600 .ssh/id_rsa
[user@arch ~]$ eval "$(ssh-agent -sa .ssh-agent.$$)"
Agent pid 1881
[user@arch ~]$ ssh-add .ssh/id_rsa.pub
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '.ssh/id_rsa.pub' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.

At this point, I'm confused as to why those permissions are not acceptable, and as to why it thinks my public key is a private key. But I humor it, changing the permissions to 600 and trying to add it again.

[user@arch ~]$ chmod 600 .ssh/id_rsa.pub
[user@arch ~]$ ssh-add .ssh/id_rsa.pub
Enter passphrase for .ssh/id_rsa.pub:
Bad passphrase, try again for .ssh/id_rsa.pub:

And now I've gotten to a similar spot as I was before: it does not like the passphrase I've created for my SSH key. What's going on?! This is truly perplexing.

2

There are 2 answers

2
Daniel Brady On

After many hours of struggling with this, I finally tracked down the source(s) of my problems.

  1. My umask was set completely incorrectly: when I was setting up my environment after the install, I accidentally put umask 755 in my .bashrc; what I intended was for my file permissions to be 755, in which case the umask should have been set to 022 or 002 (I went with the latter). This incorrect umask turned out to be the root (hehe) of all my permission errors: files and directories being generated by all the different SSH commands were being created with incorrect permissions.
  2. I was attempting to ssh-add my public key, instead of my private key; I couldn't figure out why it kept saying my passphrase was wrong, despite me being 100% sure it was correct. The reason was because the password was for the private key; the public key was not password protected, and so attempting to ssh-add it and enter a password for it resulted in all those "Bad passphrase" errors.

Thank you all for your help! You set me down the path to finding the solution that worked for me. After correcting these mistakes, I was successfully able to both start up ssh-agent without root access and add my private SSH key.

0
pgl On

It seems the user you're running as doesn't have permission to write to the default ssh-agent socket location.

This should fix your problem:

ssh-agent -a ~/.ssh-agent.$$

This specifies the socket location with the -a option, as ~/.ssh-agent.$$, ie, inside your home directory.

The permissions issue could be caused by something like simple UNIX permissions (ie, /tmp not writeable by that user), or SELinux, or something else.