A few days ago, I set up a new computer with a fresh Manjaro installation. I then tried to use this computer to access the remote shell of a server, but I couldn’t.
When I turned on the debug flag -v, the error showed up:
sign_and_send_pubkey: signing failed for ED25519-SK "/home/sumar/.ssh/id_personal_sk.pub" from agent: agent refused operation
sumar@100.101.58.11: Permission denied (publickey).The private key works on my laptop, so I’m not sure why it doesn’t work on this computer. It’s weird. Okay, the error is about the ssh agent, let check the loaded key. Listing the added key to the agent shows the correct key:
$ ssh-add -l
256 SHA256:AVQCx8YQ8iFDbPBBV3H946tEdMS9YhRriCQT002qRwQ Sumarsono (Personal) (ED25519)Then I checked the log from ssh-agent.service:
$ systemctl status --user ssh-agent.service
ssh-agent.service - OpenSSH key agent
Loaded: loaded (/usr/lib/systemd/user/ssh-agent.service; enabled; preset: enabled)
Active: active (running) since Thu 2025-03-06 18:21:43 WIB; 27min ago
Mar 06 18:44:33 L490 ssh-agent[929]: reap_helper: helper exited with non-zero exit status
Mar 06 18:44:33 L490 ssh-agent[929]: process_sign_request2: sshkey_sign: unexpected internal error
Mar 06 18:47:23 L490 ssh-agent[929]: ssh_msg_recv: read header: Connection reset by peer
Mar 06 18:47:23 L490 ssh-agent[929]: client_converse: receive: unexpected internal error
Mar 06 18:47:23 L490 ssh-agent[929]: reap_helper: helper exited with non-zero exit status
Mar 06 18:47:23 L490 ssh-agent[929]: process_sign_request2: sshkey_sign: unexpected internal error
Mar 06 18:48:52 L490 ssh-agent[929]: ssh_msg_recv: read header: Connection reset by peer
Mar 06 18:48:52 L490 ssh-agent[929]: client_converse: receive: unexpected internal error
Mar 06 18:48:52 L490 ssh-agent[929]: reap_helper: helper exited with non-zero exit status
Mar 06 18:48:52 L490 ssh-agent[929]: process_sign_request2: sshkey_sign: unexpected internal errorWhat internal error? no clue, no useful information. I tried searching the internet, but I couldn’t find a solution.
After taking a break, something came to my mind. My SSH key is bound to a Yubikey, so maybe the SSH agent cannot communicate with it.
It turns out that I needed to install the extra/libfido2 package and configure ssh-agent to use ksshaskpass so that it could prompt the user to touch the Yubikey.
Here is my modification to ssh-agent.service. I added Environment=SSH_ASKPASS=/usr/bin/ksshaskpass:
# Requires SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket" to be set in environment
[Unit]
ConditionEnvironment=!SSH_AGENT_PID
Description=OpenSSH key agent
Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1)
[Service]
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
Environment=SSH_ASKPASS=/usr/bin/ksshaskpass
Environment=DISPLAY=:0
ExecStart=/usr/bin/ssh-agent -D -a ${SSH_AUTH_SOCK}
SuccessExitStatus=2
Type=simple
[Install]
WantedBy=default.targetAfter installing libfido2 and restarting the service, I was able to SSH into my server without any issues. I just wish the debug log and the service log were more explicit so I could have debugged the issue more easily.