Question posted in 
I copied identities id_rsa from an old computer to a new one, both running the same version of Debian. When I do ssh-add I get:
Could not add identity xxx: agent refused operation
Why?
I copied identities id_rsa from an old computer to a new one, both running the same version of Debian. When I do ssh-add I get:
Could not add identity xxx: agent refused operation
Why?
3
Answers
Your
ssh-agentis not running orssh-addcan not connect to it viaSSH_AUTH_SOCK.To get ssh-agent running:
In my case the
SSH_AUTH_SOCKsocket was not pointing to the correct ssh-agent instance. So what I did was tossh-agent -dso that it printed its socket,SSH_AUTH_SOCKto that value and runssh-add <key file>, which workedOriginally
SSH_AUTH_SOCKwas/private/tmp/com.apple.launchd.3sfgCOEaij/Listeners(I am on Mac) while when I start ssh-agent, it creates/var/folders/07/46ycckp94db7k29k012nxjp00000gn/T//ssh-bWhNQhrLKeVJ/agent.35804, i.e. a completely different path. I have no idea where the original one came from. (It is also possible that the GPG Suite and itsgpg-agentare somehow messing things up.)Update
I think I know what the problem was. The original SSH_AUTH_SOCK (…apple…/Listeners) is likely set by Apple’s ssh-agent, while I have been starting an openssh agent installed via brew (
where ssh-agent->/usr/local/bin/ssh-agentwhich is symlink to/usr/local/Cellar/openssh/9.1p1/bin/ssh-agent). That is also why I had to ssh-agent instances – the first was the OS-started apple one, the second was the openssh one I started in the terminal.And my
ssh-addwas failing b/c apple ssh-agent is old and does not support *-sk keys (sk = security key, with support for FIDO/U2F Support, see https://www.openssh.com/txt/release-8.2).Attempted permanent fix
I have changed the ssh-agent started by OSX to be the brew-installed one – in
/System/Library/LaunchAgents/com.openssh.ssh-agent.plistI changed the path (the first of ProgramArguments) from ~/usr/bin/ssh-agent~ to