I have a working split-ssh configuration for a long time. Recently, after upgrading to 4.3 with a clean install, and reapplying SshAgent policy in dom0,
I try this in the previously working appvm:
$ ssh -T git@github.com
sign_and_send_pubkey: signing failed for ED25519 "/home/user/.ssh/id_ed25519_github" from agent: agent refused operation
git@ssh.github.com: Permission denied (publickey).
in the meantime, my dom0 python popup appears and gets confirmation in the same way it did in 4.2. However, I see these line in my ssh backend:
qrexec-client-vm[940]: Unknown hint "sender-pid", ignoring
qrexec-client-vm[940]: Message sent to server
qrexec-client-vm[940]: 16 bytes read!
ssh-askpass[1607]: cannot open display:
However, I can list ssh keys from the app vm (ssh client vm) and on the ssh backend vm correctly by using ssh-add -L.
This was due to the fact that the ssh-agent.service has SSH_ASKPASS_REQUIRE=force in its environment.
I have created an override for that, and the ssh-askpass no longer appears in the log, but the issue about split-ssh still persists.
Could you share how exactly you went about doing this? I’ve tried to do this as mentioned here but I haven’t been able to figure out what was meant by “using a non-gui ssh agent in the ssh backend (vault) vm instead”.
Hi @leni1, There was a short time frame that this has worked on some RC version of 4.3. However, later on it stopped working due to some reason unknown t me, and therefore I have switched to using KeepAssXC on my vault machine.
That worked and I did not go back. The part of the guide on KeepAssXC is here:
This offers a good experience as well. You just need to unlock the KeepAssXC upon boot.
The original idea was to disable the attempt to run the gui pinentry component IIRC. But it stopped working during the lifetime of the RCs.
