# ssh-agent: Permission denied [SOLVED]

## certocivitas

I am following the Gentoo Linux Keychain Guide but ran into a problem with ssh-agent. I have setup all my computers with pub/priv key encryption as per the guide but when I run ssh-agent I get this output with no request for a passphrase:

 *Quote:*   

>  # ssh-agent
> 
> SSH_AUTH_SOCK=/tmp/ssh-GKurjM9013/agent.9013; export SSH_AUTH_SOCK;
> 
> SSH_AGENT_PID=9014; export SSH_AGENT_PID;
> ...

 

When I try to force ssh-agent to use my key this is all I get:

 *Quote:*   

>  # ssh-agent ~/.ssh/id_dsa
> 
> /root/.ssh/id_dsa: Permission denied

 

Any idea what I've done wrong?Last edited by certocivitas on Sun Jul 24, 2005 5:38 pm; edited 1 time in total

----------

## robdd

Can you ssh in to your server using ssh on the command line, and do you get asked for the passphrase then ?  (Sorry if this is a dumb question, but you don't say in your post)

----------

## certocivitas

Ya, sorry for not saying. I can use ssh with the passphrase. I checked all my users keys and they work. This is what roots .ssh dir looks like:

 *Quote:*   

>  # ls -la ~/.ssh
> 
> total 24
> 
> drwx------   2 root root 4096 Jul 22 22:08 .
> ...

 

So all groups -should- have access to the public key.

----------

## robdd

Hi there again. Forgive me if I'm asking more dumb questions, and also I haven't used ssh-agent at all, but..

The way I would normally expect ssh to be used is that each user has their own different private key (otherwise they would be able to log in to each other's accounts, read mail, etc). So my ssh server is configured with this line in the sshd_config file:

#AuthorizedKeysFile     .ssh/authorized_keys

Yeah, yeah it's commented out  :Smile:  , but that's because it's the default, which is to go the user's home directory, and check out the public key that's in there.  So if fred tries to ssh in the ssh server goes to /home/fred/.ssh and uses the contents of authorized_keys there to generate the encrypted challenge thingummy-dod-dad...  Now if george logs in the ssh server looks in /home/george/.ssh instead.  So if you want separate private keys and user privacy you need to generate private/public keys for each user, and stick them in the individual home directories.

From your initial post I see that you're getting a permission denied from root, so I'm confused as to what you're trying to do here.  If you're trying to log in via ssh-agent as fred or george, and you've pointed the ssh server at root's .ssh directory then I'm not surprised that you're denied access - you damn well should be denied !  If your aim is to allow individual users to use ssh-agent to access your server then my own feeling is that you should set up the individual private/public keys, and use the default method of looking up authorized_keys.

If you are somehow trying to ssh in as root, or give root privileges to everyone logging in then I think that's generally accepted to be a BAD IDEA.

All of this may have completely missed the point of what you're trying to do, but I hope it's a little helpful.

----------

## certocivitas

I appreciate the interest but I figured it out myself. All the accounts on my computers have their own keys and as demonstrated by; "-rw------- 1 root root 736 Jul 22 22:01 id_dsa", the private keys are not readable buy anyone but the owner. 

The point of ssh-agent is that you only need to enter pass phrases once as long as its running. Then when you ssh into any machines that use the keys stored by the agent login is automatic. The problem I was having was getting the ssh-agent started. I was using the Gentoo Keychain Howto which skipped over ssh-agent startup because it expects users to use the keychain for that. To startup the ssh-agent manually I had to do this:

 *Quote:*   

> eval `ssh-agent -s`

 

As intended it asks for the passphrase for the key in ~/.ssh and when I try to connect to accounts on boxes that use that key the connection is automatic.

----------

