From unknown Tue Jun 17 01:38:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#54950: Connecting to remote guix daemon with encrypted SSH key fails Resent-From: Arun Isaac Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 15 Apr 2022 11:10:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 54950 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 54950@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.165002098131975 (code B ref -1); Fri, 15 Apr 2022 11:10:01 +0000 Received: (at submit) by debbugs.gnu.org; 15 Apr 2022 11:09:41 +0000 Received: from localhost ([127.0.0.1]:58208 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nfJpc-0008Jf-Sz for submit@debbugs.gnu.org; Fri, 15 Apr 2022 07:09:41 -0400 Received: from lists.gnu.org ([209.51.188.17]:37664) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nfJpb-0008JZ-9b for submit@debbugs.gnu.org; Fri, 15 Apr 2022 07:09:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50968) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nfJpb-00051S-5b for bug-guix@gnu.org; Fri, 15 Apr 2022 07:09:39 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:45478) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nfJpY-0001zj-Ab for bug-guix@gnu.org; Fri, 15 Apr 2022 07:09:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Dd2XR/alE2LlWeEq88TslB/FroM57H1b5W/5Kr2FhhI=; b=dbVo4DBbto5kauEWMQ9ecd5aBg 8pSlMcur7J/EEX7bMGFm/6q4vCfyo+kfp3DTUPeA80ahgM3Ex+7LRPYoBXA6DAS7KuSv7QPI6hBed +shfmrqmpwahtAIm8lAiwO4Rltiaoqx4YYgHKTD5OJN7EDfr85aUwHwY1lt8+ouNiJxWFGuc4XgTv mNpeBQK6v8cjAZtGcPXZ70OtqItaSWG1BhZ69SpPFoIrSSwikO+NpVcrf/cUvXdZUAFZV0DloBvSr TTN/7oxSDcFK1dyrqeGQ54EDWEE+tnGNOT8cKh5SMv3YldSzE3w9W7jdF8phoi/h6H9zD7nKvS05r ut4xUS5g==; Received: from [192.168.2.1] (port=6274 helo=steel) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1nfJpQ-000JXa-1K for bug-guix@gnu.org; Fri, 15 Apr 2022 16:39:28 +0530 From: Arun Isaac Date: Fri, 15 Apr 2022 16:39:25 +0530 Message-ID: <87pmli1u3e.fsf@systemreboot.net> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=139.59.75.54; envelope-from=arunisaac@systemreboot.net; helo=mugam.systemreboot.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) I have an SSH key encrypted with a passphrase. When I try connecting to a remote guix daemon with that encrypted SSH key, it fails with the following error message. --8<---------------cut here---------------start------------->8--- $ GUIX_DAEMON_SOCKET=ssh://foo guix build -v3 hello guix build: error: SSH authentication failed for 'foo': Access denied for 'publickey'. Authentication that can continue: publickey --8<---------------cut here---------------end--------------->8--- I expected some kind of prompt asking me for the passphrase, but did not get any. The same command works if I set up ssh-agent and add the relevant key to it. From unknown Tue Jun 17 01:38:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#54950: Connecting to remote guix daemon with encrypted SSH key fails Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 08 Jun 2022 20:31:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54950 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Arun Isaac Cc: 54950@debbugs.gnu.org Received: via spool by 54950-submit@debbugs.gnu.org id=B54950.165472023919599 (code B ref 54950); Wed, 08 Jun 2022 20:31:02 +0000 Received: (at 54950) by debbugs.gnu.org; 8 Jun 2022 20:30:39 +0000 Received: from localhost ([127.0.0.1]:44347 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nz2K7-00055o-3V for submit@debbugs.gnu.org; Wed, 08 Jun 2022 16:30:39 -0400 Received: from mail-qt1-f173.google.com ([209.85.160.173]:36625) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nz2K5-0004yN-DK for 54950@debbugs.gnu.org; Wed, 08 Jun 2022 16:30:37 -0400 Received: by mail-qt1-f173.google.com with SMTP id x18so12905299qtj.3 for <54950@debbugs.gnu.org>; Wed, 08 Jun 2022 13:30:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=wCw4TjSj+aUw9XVfaUXb+CuNvFZ1Jf6T7hpiJCh4rF8=; b=bCwXNwLXmh8oJXecjnq6WvDW2ySspITDEgs9xzHRigHGVrEDQ3V7a1aTeYvXcWVSgm YPX9rqEyLQRRG3tN01wSF/0LoYAuh60at2OfMJBLUoCoXn3pHGLsocSYfwQbLFvpq8ia XpvZqGxYzn30yv45clxPua/fB1RuHCcKizAlpXzkxX+G8lYim2eRQtfD+olv7+AacdwB UmmlMQ+ZsWYeVHLOMWxDpQTFf6RC5GoJoi6G/oz1gzxxBBmdWtBDvmt2tDBXQMJXwlZU 5TU0g73arDdRDk99c5i4mFTmFa8U62E96IJ3tVQ5wNKDt/sR4MhtPH5NHzGuHBB47Rfg G12g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=wCw4TjSj+aUw9XVfaUXb+CuNvFZ1Jf6T7hpiJCh4rF8=; b=3bHq021S1l2IoEkTQN0o1gSwMLNDzN7teTy8qbJJzhbdFXT/2utD29BVM01smXkXlz F9MdCJQEA15QNv2mXuw1JcdkI2TFBdZrlCUU/1YcVGCS7NHtiTwmgPYJqtFbHjochl4i 9EVoxo3ZYlBnY/qxCrayYb18RcQWevKGwyFWN+szskfVxYQE6O8zVVKAjcmobk47Fc62 2CxWRk8tHxeBPzVPVgPup6MukJ49/6s6J4iVgWm77DAJwd8VN4M/mvX4q3qot/QLqjOc JjD9AaWPFDKl6boHLWXQkM8o7KCUVXD+1HheWUFsVqTz50h1poRMiEielJcm2bzFm2qi hzuQ== X-Gm-Message-State: AOAM5312DrRRs9FpsVbF0OQaxs+BdCd8VNCo5io1QYxrOObSkzK8FAWM IvWFI+QJ233xy9tTJq95lEjHGxHMn5I2RQ== X-Google-Smtp-Source: ABdhPJxpAFCZb+4BV4uh6ZxhOSGaTJYWgT3dHWYzfSE3I4OFvq24CBx84xznRWLD8XkP2g98+iW9aQ== X-Received: by 2002:a05:622a:1443:b0:304:c333:df46 with SMTP id v3-20020a05622a144300b00304c333df46mr28703632qtx.566.1654720230363; Wed, 08 Jun 2022 13:30:30 -0700 (PDT) Received: from hurd (dsl-151-172.b2b2c.ca. [66.158.151.172]) by smtp.gmail.com with ESMTPSA id q22-20020ac87356000000b00304dd83a9b1sm12086478qtp.82.2022.06.08.13.30.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 13:30:29 -0700 (PDT) From: Maxim Cournoyer References: <87pmli1u3e.fsf@systemreboot.net> Date: Wed, 08 Jun 2022 16:30:28 -0400 In-Reply-To: <87pmli1u3e.fsf@systemreboot.net> (Arun Isaac's message of "Fri, 15 Apr 2022 16:39:25 +0530") Message-ID: <87a6amkie3.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, Arun Isaac writes: > I have an SSH key encrypted with a passphrase. When I try connecting to > a remote guix daemon with that encrypted SSH key, it fails with the > following error message. > > $ GUIX_DAEMON_SOCKET=ssh://foo guix build -v3 hello > guix build: error: SSH authentication failed for 'foo': Access > denied for 'publickey'. Authentication that can continue: publickey > > I expected some kind of prompt asking me for the passphrase, but did not > get any. The same command works if I set up ssh-agent and add the > relevant key to it. I suspect this is due to changes in OpenSSH *client* that now refuse older RSA keys for security reasons. Could you retry with the following option: 'StrictHostKeyChecking no' applied to the host in your ~/.ssh/config? If that's indeed the problem, you'll want to upgrade your key to something more modern like ed25519. I hope that helps, Maxim From unknown Tue Jun 17 01:38:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#54950: Connecting to remote guix daemon with encrypted SSH key fails Resent-From: Arun Isaac Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 15 Jun 2022 06:31:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54950 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Maxim Cournoyer Cc: 54950@debbugs.gnu.org Received: via spool by 54950-submit@debbugs.gnu.org id=B54950.16552746451137 (code B ref 54950); Wed, 15 Jun 2022 06:31:02 +0000 Received: (at 54950) by debbugs.gnu.org; 15 Jun 2022 06:30:45 +0000 Received: from localhost ([127.0.0.1]:36275 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o1MY8-0000IG-Lc for submit@debbugs.gnu.org; Wed, 15 Jun 2022 02:30:44 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:46416) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o1MY5-0000I5-6i for 54950@debbugs.gnu.org; Wed, 15 Jun 2022 02:30:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=P+b39sJQrsIuKAmTAoZSoipQkOpx1otXrL4396d7xSc=; b=biUsUpGyK4Sde5zRNbONerqHzs 9t45354s9K6p4ajbW4ntLh5arqQUuDVfR73QkzAjUykVqYRoimMjZMUqgWHGxlDxPnhqW0SfkG9vY GN5CP8/jm1WNmd4gB+ZNJqWy9a3tLkm8xbTZX42wOBi6478DXMHDyNH01YYoLv40wTnwv288qqILg n0VbpyBjOTETpkS373ng4QORfs7TYDyCHmu68a4tcxeppN7GDJt8zIVy/OuAmFIjH0zqwtLfWrdVP 03RA2ZS9Ij0T1962A55bkChQ8GiHl5swEm/M0x/LoYgADcFpMBOP5PibtGrLD6IYew8qrtTc45nPc uikv/6+w==; Received: from [192.168.2.1] (port=4692 helo=steel) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1o1MY0-000BeN-U3; Wed, 15 Jun 2022 12:00:37 +0530 From: Arun Isaac In-Reply-To: <87a6amkie3.fsf@gmail.com> References: <87pmli1u3e.fsf@systemreboot.net> <87a6amkie3.fsf@gmail.com> Date: Wed, 15 Jun 2022 12:00:36 +0530 Message-ID: <87sfo630c3.fsf@systemreboot.net> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Maxim, > I suspect this is due to changes in OpenSSH *client* that now refuse > older RSA keys for security reasons. This doesn't seem to be. Here's why: I have another machine that I ssh to using an unencrypted RSA key. I am able to connect to the Guix daemon on that machine without any trouble. What's more, the machine with an encrypted key, whose Guix daemon I'm unable to connect to, uses an ECDSA key. > Could you retry with the following option: 'StrictHostKeyChecking no' > applied to the host in your ~/.ssh/config? Adding 'StrictHostKeyChecking no' makes no difference. The unencrypted key still works, and the encrypted doesn't. Cheers! Arun From unknown Tue Jun 17 01:38:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#54950: Connecting to remote guix daemon with encrypted SSH key fails Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 15 Jun 2022 15:47:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54950 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Arun Isaac Cc: 54950@debbugs.gnu.org Received: via spool by 54950-submit@debbugs.gnu.org id=B54950.165530801513214 (code B ref 54950); Wed, 15 Jun 2022 15:47:02 +0000 Received: (at 54950) by debbugs.gnu.org; 15 Jun 2022 15:46:55 +0000 Received: from localhost ([127.0.0.1]:39608 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o1VEM-0003R3-Sx for submit@debbugs.gnu.org; Wed, 15 Jun 2022 11:46:55 -0400 Received: from mail-qk1-f181.google.com ([209.85.222.181]:43798) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o1VEI-0003Qo-9b for 54950@debbugs.gnu.org; Wed, 15 Jun 2022 11:46:53 -0400 Received: by mail-qk1-f181.google.com with SMTP id p63so9001725qkd.10 for <54950@debbugs.gnu.org>; Wed, 15 Jun 2022 08:46:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=q72UUgNIDAWLw+IIetjfhAWpKddjbkqj+T3o9USl4zs=; b=eQP2jzNGEOUncHDemzjpXvST0xdeGk1+y3hhTfQsvhN3NBdYl8jS/s1VtMkfogw2Hq 5xF9pte7cg25E7OQJKJYgyXFSCehqq1v7DJ97uNwffikSb8Hl25/oWTcbi42tFZQCtgy DEfUzIgQjrBeF66n28McjdVTjEaSVY61P83VTv2Df+U8aaSgBnFvwZBOFpt3Sw+K7ycZ OdnadjkfGhhBxUxycNGZLA9iqJm9Sh/IbUiz4nUmHuylgbF0szpqy8OJ3W7SAOmQAZNv +unSt9nqCWv4aO+bI9enMOwhUHev6hO1Sho9Eyzv37ciXucVRx3/IgEkSFOydDCiMx8S kbNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=q72UUgNIDAWLw+IIetjfhAWpKddjbkqj+T3o9USl4zs=; b=0WlUnOuacy7FX2Lg1kSFZCjFAphOZ1OrwOY+s5c2h1r82898jf1bcXo497YJ2sADg1 9V1EtWa0t/qe7lheeUpg1xW82MZ6s+LI0jEt6JGoVIX1p8YqSJKrr6Bh7eIy4Lf53AIK OlUb2lCGoWM0q1/d34CsGE7OZHrTqtMwb29OWQaFIVh/AD53LYPMBX7vbilmUfd9tEqX e90uHquQB6XA6x3I6W1nSuM98OQjgKY+tDKC0rIjwHnbNiQXruPuSLtMMEwhWQmTITFW OoHaA5npYevD0sVJlh+AeBqTrzEX2VXuXEeh1qp0HfXGNlurb09s5f/xXc1QLIGuTf1C gMTg== X-Gm-Message-State: AJIora/7HLb6FLFnKBqXMX5B+rwKrhoyf2XZp5Y2CvRbKUMuZH4LzF7n beZLG4yoKlPei82jhfzsaU7WnIhtU6RcDQ== X-Google-Smtp-Source: AGRyM1vbPujWN+gtSVLgQgUtySY9ZrVQHGSLo6Ba7/OcKFaDAUnq9i4IWKZejmKo72QPF0UYm6Z5kQ== X-Received: by 2002:a05:620a:25c7:b0:699:be71:59ee with SMTP id y7-20020a05620a25c700b00699be7159eemr258844qko.222.1655308004150; Wed, 15 Jun 2022 08:46:44 -0700 (PDT) Received: from hurd (dsl-10-149-53.b2b2c.ca. [72.10.149.53]) by smtp.gmail.com with ESMTPSA id bi3-20020a05620a318300b006a700aad48bsm11801246qkb.91.2022.06.15.08.46.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jun 2022 08:46:43 -0700 (PDT) From: Maxim Cournoyer References: <87pmli1u3e.fsf@systemreboot.net> <87a6amkie3.fsf@gmail.com> <87sfo630c3.fsf@systemreboot.net> Date: Wed, 15 Jun 2022 11:46:42 -0400 In-Reply-To: <87sfo630c3.fsf@systemreboot.net> (Arun Isaac's message of "Wed, 15 Jun 2022 12:00:36 +0530") Message-ID: <8735g6dj4t.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Arun, Arun Isaac writes: > Hi Maxim, > >> I suspect this is due to changes in OpenSSH *client* that now refuse >> older RSA keys for security reasons. > > This doesn't seem to be. Here's why: I have another machine that I ssh > to using an unencrypted RSA key. I am able to connect to the Guix daemon > on that machine without any trouble. What's more, the machine with an > encrypted key, whose Guix daemon I'm unable to connect to, uses an ECDSA > key. > >> Could you retry with the following option: 'StrictHostKeyChecking no' >> applied to the host in your ~/.ssh/config? > > Adding 'StrictHostKeyChecking no' makes no difference. The unencrypted > key still works, and the encrypted doesn't. Thanks for checking. Other things to try: Kill pinentry, which is potentially waiting for the passphrase on the wrong X11 display or tty, for example if you accessed the machine via SSH: killall pinentry I don't know which ssh agent you use; I use the 'gpg-agent' provided by GnuPG. info '(gnupg) Common Problems' has this: * SSH hangs while a popping up pinentry was expected SSH has no way to tell the gpg-agent what terminal or X display it is running on. So when remotely logging into a box where a gpg-agent with SSH support is running, the pinentry will get popped up on whatever display the gpg-agent has been started. To solve this problem you may issue the command echo UPDATESTARTUPTTY | gpg-connect-agent and the next pinentry will pop up on your display or screen. However, you need to kill the running pinentry first because only one pinentry may be running at once. If you plan to use ssh on a new display you should issue the above command before invoking ssh or any other service making use of ssh. It seems this gotcha would also apply to other SSH agents. I've had this problem in the past, when SSH'in to a remote machine that had a graphical session running, and killing the running pinentry and issuing the above 'echo UPDATESTARTUPTTY | gpg-connect-agent' command did the trick. Let me know if this helps. Maxim From unknown Tue Jun 17 01:38:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#54950: Connecting to remote guix daemon with encrypted SSH key fails Resent-From: Arun Isaac Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 16 Jun 2022 06:35:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54950 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Maxim Cournoyer Cc: 54950@debbugs.gnu.org Received: via spool by 54950-submit@debbugs.gnu.org id=B54950.165536127823383 (code B ref 54950); Thu, 16 Jun 2022 06:35:03 +0000 Received: (at 54950) by debbugs.gnu.org; 16 Jun 2022 06:34:38 +0000 Received: from localhost ([127.0.0.1]:40507 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o1j5S-000655-55 for submit@debbugs.gnu.org; Thu, 16 Jun 2022 02:34:38 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:46418) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o1j5P-00064t-1B for 54950@debbugs.gnu.org; Thu, 16 Jun 2022 02:34:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=qmCJ9xfk31uLLXYq5Basof3K1tbjIOC8vOlwGnpotqQ=; b=fcNbBXlzC9lGgQQFbj+qmBc3K1 3wAexca9nz9z1ZRDmYvZFk9cEIz18vcBwRSdlYJhw8dGS85HE05Xs71qzjaufvazuW5ewHaK08Hz1 tDocb4xAiDsrj1+6lOyeUPza1LqNbzWxPD7kg03Ddnc5Cy5DPQX5HBUtk6tl95yhC36vmkmCrSVTV xjgb15J4AVUXMiJ7+G0QkrFl/GLqrY2nT7QwgiqlidQLalY309KuVsNMhZcCI6fmxczLooTIxk4bN KZNuwzTCGOLbDonxqQBnTTP1UanTmxeErV1PRIit6RbsimyN/ut5AAthSVoeblm4mfhmNy/5kz+me va1C6lag==; Received: from [192.168.2.1] (port=4786 helo=steel) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1o1j5L-000EUa-A4; Thu, 16 Jun 2022 12:04:31 +0530 From: Arun Isaac In-Reply-To: <8735g6dj4t.fsf@gmail.com> References: <87pmli1u3e.fsf@systemreboot.net> <87a6amkie3.fsf@gmail.com> <87sfo630c3.fsf@systemreboot.net> <8735g6dj4t.fsf@gmail.com> Date: Thu, 16 Jun 2022 12:04:30 +0530 Message-ID: <87ilp12k21.fsf@systemreboot.net> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Maxim, I normally use neither OpenSSH's ssh-agent nor gpg-agent's ssh-agent feature. But, when I do, it works. I didn't run into any pinentry issues like you described. But, that's only because a passphrase entry is not required at the time of `guix build'. Passphrase entry is required only at the time of `ssh-add' when I am adding the key to the ssh-agent. Just to be clear, here are the exact steps I used to set up gpg-agent. Enable gpg's ssh-agent feature $ echo use-agent >> ~/.gnupg/gpg.conf $ echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf pkill and restart gpg-agent (command not shown). Then, add the key to gpg's ssh-agent. A passphrase is prompted at this point. $ ssh-add ~/.ssh/id_ecdsa guix build with remote daemon. A passphrase is not prompted at this point because it was already added into the ssh-agent in the last step. $ SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh GUIX_DAEMON_SOCKET=ssh://foo guix build -v3 hello So, with an ssh-agent, guix build on a remote daemon works. But, I'd like it to work without an ssh-agent. Is that possible? Regards, Arun From unknown Tue Jun 17 01:38:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#54950: Connecting to remote guix daemon with encrypted SSH key fails Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 16 Jun 2022 14:02:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54950 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Arun Isaac Cc: 54950@debbugs.gnu.org Received: via spool by 54950-submit@debbugs.gnu.org id=B54950.16553881187081 (code B ref 54950); Thu, 16 Jun 2022 14:02:02 +0000 Received: (at 54950) by debbugs.gnu.org; 16 Jun 2022 14:01:58 +0000 Received: from localhost ([127.0.0.1]:42716 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o1q4D-0001q0-IL for submit@debbugs.gnu.org; Thu, 16 Jun 2022 10:01:58 -0400 Received: from mail-qv1-f52.google.com ([209.85.219.52]:35406) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o1q49-0001pk-6W for 54950@debbugs.gnu.org; Thu, 16 Jun 2022 10:01:48 -0400 Received: by mail-qv1-f52.google.com with SMTP id u8so2204830qvj.2 for <54950@debbugs.gnu.org>; Thu, 16 Jun 2022 07:01:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=6f5zvqeAdJd3b6RyVrwyx8CFtNHR0Xlm7z+1t+trwPk=; b=V5OF/je0Z5fCLIwgkUaKtsGnFnze7vwGVf9RsEh4Wn++GflRqsgaIpmgRoVQotShqx 1tAIudpSHN7KjGJ7cfMFCHvkiYRHKxt8P29QKwQ6X8pEJLAp9wWmD9zaefGZANOGrngn 3i7Arw79k/UaX3jVo08asrwVtaGvo6F66qAdzdmuxQyNlLTqMPO2yKiTU8XMjfoPviU3 U2YahhQT4gnzr48QfWfssl6QWB4ScWVPmBGtffZfR9MURPX3S6Ma6W/cqTdOIZDHS7B/ 3JYfeEbJJ8yr1Zy/TPqoMEJr/qFuc/42mgVBpW+ryi4c/XIXOOy8P2/WehqL90VwlKJg DJcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=6f5zvqeAdJd3b6RyVrwyx8CFtNHR0Xlm7z+1t+trwPk=; b=0idetxIHrOw+aFCnNPd/lkTHHfBBT8IaebboquXiwPrIN4wg5/TsSi2tqvYvVrAzUy 2/Mq/9aTuTkdZDxne8bF6/bOqfWO1rlTAaqaBwgDONAdf7Ltc9ke22MhRH+s6UzSfAkC Qcd6hLLHzTjzNiY6+xXptpovJ8k/bubUbPIjUqFsSeEGxtwdv6DTxAa4fjlJk0SWR5LT xPu5CQyEwb7XpfO7x8vB1k4fKhjyMf0f1cWj2b+qUAV7nI+3W5tj5YNIgjqOHx/JsNH2 z7h1XpNoc0HfcpcTIXPGmadlbUxuYskakufcrxz4G971awNTNFdOmqZjcg4EqK0//NPx 350g== X-Gm-Message-State: AJIora/kSpby1lIxToBOdcWHWS6eLB42F2kdBCnpeGdG0q5VYFpcHdYY vIl4OwU26GQoOeliCqG7cXKI6hXP6I4gVg== X-Google-Smtp-Source: AGRyM1vvOIYXQ+nKeYSyiVA+18Vm56cC1ISsWdDFocJofp4ctXGwazonHOJeh9SD08H9gb7NcF/3dQ== X-Received: by 2002:a05:622a:8b:b0:305:29cd:4ff3 with SMTP id o11-20020a05622a008b00b0030529cd4ff3mr4156975qtw.32.1655388098891; Thu, 16 Jun 2022 07:01:38 -0700 (PDT) Received: from hurd (dsl-10-149-53.b2b2c.ca. [72.10.149.53]) by smtp.gmail.com with ESMTPSA id x23-20020ae9e917000000b0069fc13ce1f2sm1807865qkf.35.2022.06.16.07.01.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Jun 2022 07:01:38 -0700 (PDT) From: Maxim Cournoyer References: <87pmli1u3e.fsf@systemreboot.net> <87a6amkie3.fsf@gmail.com> <87sfo630c3.fsf@systemreboot.net> <8735g6dj4t.fsf@gmail.com> <87ilp12k21.fsf@systemreboot.net> Date: Thu, 16 Jun 2022 10:01:37 -0400 In-Reply-To: <87ilp12k21.fsf@systemreboot.net> (Arun Isaac's message of "Thu, 16 Jun 2022 12:04:30 +0530") Message-ID: <87a6acd7we.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hello Arun, Arun Isaac writes: > So, with an ssh-agent, guix build on a remote daemon works. But, I'd > like it to work without an ssh-agent. Is that possible? I've re-read the original issue and now I have a better understanding of it; the manual mentions GUIX_DAEMON_SOCKET is handled via the Guile-SSH library. I'm curious as to how SSH clients typically trigger 'pinentry' to prompt; perhaps Guile-SSH is lacking some feature here. I hope someone in the know can tip in! In the meantime, you've already found a workaround (the use of an SSH agent). Thanks, Maxim From unknown Tue Jun 17 01:38:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#54950: Connecting to remote guix daemon with encrypted SSH key fails Resent-From: Arun Isaac Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 17 Jun 2022 06:53:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54950 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Maxim Cournoyer Cc: 54950@debbugs.gnu.org Received: via spool by 54950-submit@debbugs.gnu.org id=B54950.165544878015872 (code B ref 54950); Fri, 17 Jun 2022 06:53:01 +0000 Received: (at 54950) by debbugs.gnu.org; 17 Jun 2022 06:53:00 +0000 Received: from localhost ([127.0.0.1]:43598 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o25ql-00047w-PO for submit@debbugs.gnu.org; Fri, 17 Jun 2022 02:52:59 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:46420) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o25qj-00047l-9D for 54950@debbugs.gnu.org; Fri, 17 Jun 2022 02:52:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=TfRzuhgjtNA949fYGo833aYOWN9XIXlqKEqRrCDOhRc=; b=eaFJOWg2La+xUD68O9DLQ8Jq9f 3IOy5gsCXoEGdT5cNa5r+Bfw0MY6IpFZzpuO1tjE10lB3YORkIVDoTjsMNnu0nNJFSIeITRVg6lQ3 sCduoYLXCTZ3uzMCn/WnHZqn65po+p4GxxSG01oyyj6MA4TBwaFvMipVTTjHSkrO6lo0PLbPZsmF6 Mf6Na/YzJiEFeO+Uq+/GkgcpiLWNcGMruP5mwj336G4gX+rpltQ8qv8IZ7XqclFogX2PdWUzbIVDO Ybiw78noG2fx4HFlhs5kYTeJio90rpbaoxoD7MBVA9F8n/NK9eEncaAq5hQ8UWZxhFZmTfI2GGooU 9y25pN6A==; Received: from [192.168.2.1] (port=4942 helo=steel) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1o25qf-000Hq2-0x; Fri, 17 Jun 2022 12:22:53 +0530 From: Arun Isaac In-Reply-To: <87a6acd7we.fsf@gmail.com> References: <87pmli1u3e.fsf@systemreboot.net> <87a6amkie3.fsf@gmail.com> <87sfo630c3.fsf@systemreboot.net> <8735g6dj4t.fsf@gmail.com> <87ilp12k21.fsf@systemreboot.net> <87a6acd7we.fsf@gmail.com> Date: Fri, 17 Jun 2022 12:22:52 +0530 Message-ID: <87fsk33hob.fsf@systemreboot.net> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Maxim, > I'm curious as to how SSH clients typically trigger 'pinentry' to > prompt; perhaps Guile-SSH is lacking some feature here. Exactly my point! :-) > I hope someone in the know can tip in! In the meantime, you've already > found a workaround (the use of an SSH agent). Yup. Thanks, Arun