I copied identities id_rsa
from an old computer to a new one, both running the same version of Debian. When I do ssh-add
I get:
Could not add identity xxx: agent refused operation
Why?
I copied identities id_rsa
from an old computer to a new one, both running the same version of Debian. When I do ssh-add
I get:
Could not add identity xxx: agent refused operation
Why?
3
Answers
Your
ssh-agent
is not running orssh-add
can not connect to it viaSSH_AUTH_SOCK
.To get ssh-agent running:
In my case the
SSH_AUTH_SOCK
socket was not pointing to the correct ssh-agent instance. So what I did was tossh-agent -d
so that it printed its socket,SSH_AUTH_SOCK
to that value and runssh-add <key file>
, which workedOriginally
SSH_AUTH_SOCK
was/private/tmp/com.apple.launchd.3sfgCOEaij/Listeners
(I am on Mac) while when I start ssh-agent, it creates/var/folders/07/46ycckp94db7k29k012nxjp00000gn/T//ssh-bWhNQhrLKeVJ/agent.35804
, i.e. a completely different path. I have no idea where the original one came from. (It is also possible that the GPG Suite and itsgpg-agent
are somehow messing things up.)Update
I think I know what the problem was. The original SSH_AUTH_SOCK (…apple…/Listeners) is likely set by Apple’s ssh-agent, while I have been starting an openssh agent installed via brew (
where ssh-agent
->/usr/local/bin/ssh-agent
which is symlink to/usr/local/Cellar/openssh/9.1p1/bin/ssh-agent
). That is also why I had to ssh-agent instances – the first was the OS-started apple one, the second was the openssh one I started in the terminal.And my
ssh-add
was failing b/c apple ssh-agent is old and does not support *-sk keys (sk = security key, with support for FIDO/U2F Support, see https://www.openssh.com/txt/release-8.2).Attempted permanent fix
I have changed the ssh-agent started by OSX to be the brew-installed one – in
/System/Library/LaunchAgents/com.openssh.ssh-agent.plist
I changed the path (the first of ProgramArguments) from ~/usr/bin/ssh-agent~ to