Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Q&A Meta
Q&A
Posts Tags Edits
Ask Question

Post History

50%
+0 −0
Q&A SSH key added to agent, but keeps asking for password

After some digging, I was able to figure out the problem. I actually have multiple keys. In Kwallet, I noticed that one of them has the wrong passphrase. So looks like I put the passphrase of Key X...

posted 1y ago by matthewsnyder‭

Answer
#1: Initial revision by user avatar matthewsnyder‭ · 2023-08-15T03:28:03Z (over 1 year ago) 
After some digging, I was able to figure out the problem. I actually have multiple keys. In Kwallet, I noticed that one of them has the wrong passphrase. So looks like I put the passphrase of Key X for both keys X and Y, and now Y is failing (because that's the wrong passphrase). It looks like Kwallet decided to remember this and never ask me, while ssh-agent kept silently failing to unlock and never telling me. Re-adding the key with correct passphrase didn't help because it kept getting the wrong passphrase from Kwallet.

To help future readers, I would recommend troubleshooting like so:

1. Check how many SSH agents are running: `pgrep ssh`
  * If any are running, it's better to kill them all with `pkill ssh` so you can start fresh
  * You can do it with `env | rg ssh`
2. Check the environment variables are set. When you run `ssh-agent`, it will print some commands that are meant to be sourced by a shell. These set the envars `SSH_AGENT_PID` and `SSH_AUTH_SOCK`. Of course their values will change at every run of `ssh-agent`, so it is better to do `ssh-agent > ~/.ssh/ssh-agent.env` and then source the .env file, so that you can also inspect it later.
  * `SSH_AGENT_PID` must match the actual PID from `pgrep ssh`
  * The file in `SSH_AUTH_SOCK` must exist
3. Check that keys are added. `ssh-add -l` will show currently cached keys. `ssh-add /path/to/key` will add a key.
  * The key you want must be present.
4. Check the cached passphrase. When adding keys, the agent should ask you for a passphrase in a manner determined by the envars `SSH_ASKPASS` and `SSH_ASKPASS_REQUIRE`. These are sometimes set to various password managers. For example, `SSH_ASKPASS=$(which ksshaskpass)` with kwallet installed allows you to check "remember password" when entering your passphrase. If a credential store is configured with these envars, open that store and see if you can find anything about the keys. It is sometimes useful to delete the saved SSH key passphrases from this store, so that it forces you to enter it again next time you do `ssh-add`. This will eliminate the possibility of an incorrect passphrase like I describe in the beginning of my post.