Sunday 30 April 2023

Yubikey ssh on Ubuntu 22.04

Today I did full fresh installation of Ubuntu 22.04 to migrate to new 2T NVME disk from Samsung as I had disk space issues with my old 500G drive. 

After installation I noticed that I cannot use my Yubikey for ssh auth as documented here

I tried to add Yubikey as auth source and it failed with pretty weird error:

ssh-add -s /usr/lib/x86_64-linux-gnu/

Enter passphrase for PKCS#11: 

Could not add card "/usr/lib/x86_64-linux-gnu/": agent refused operation

 This error can mean literally anything.

I've tried running ssh agent manually in foreground mode:

ssh-agent -d

And after that I saw error which sounds like "no available slots".

So I back to guide as I suspected that my Yubikey died and I've sued following command:

sudo ykman list --serials

WARNING: PC/SC not available. Smart card (CCID) protocols will not function.

ERROR: Unable to list devices for connection


That's interesting and this error lead me to this bug and I got fix:

 sudo systemctl start pcscd

After that it worked just fine.

As long term fix you need to enable automatic start on machine boot: 

sudo systemctl enable pcscd

Sadly it's known Ubuntu bug

Thursday 13 April 2023

Yubikey ssh and signing failed for RSA "PIV AUTH pubkey" from agent: agent refused operation

You may face this issue if you use ssh and Yubikey like covered in this guide

Previously I had to reboot machine to address this issue but I found nice trick to get it work.

Originally error looks like:
ssh server
sign_and_send_pubkey: signing failed for RSA "PIV AUTH pubkey" from agent: agent refused operation
root@xxx: Permission denied (publickey).

It may happen when you forgot to tap confirmation on Yubikey and it was just slow.

First attempt to fix it was to kill all ssh agent processes which may be run on system:

ps aux|grep ssh

odintsov   16493  0.0  0.0   7972  5820 ?        S    12:36   0:00 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh

odintsov   16494  0.0  0.0 164340 11584 ?        SLl  12:36   0:00 /usr/lib/openssh/ssh-pkcs11-helper

odintsov   27798  0.0  0.0   7972  3848 ?        Ss   13:20   0:00 ssh-agent -s

odintsov   27801  0.0  0.0 164340 11572 ?        SLl  13:20   0:00 /usr/lib/openssh/ssh-pkcs11-helper

The best way to kill them is:

pkill ssh

After that we need to start ssh agent again:

eval `ssh-agent -s`

After that load Yubikey key to agent:

ssh-add -s /usr/lib/x86_64-linux-gnu/

For last command I use fancy alias in ~/.bashrc:

alias ssh_add='ssh-add -s /usr/lib/x86_64-linux-gnu/'

It's not clear why Yubikey fails that way. I think it has something to do with ssh-pkcs11-helper being stuck in operation to Yubikey hardware. 


Saturday 8 April 2023

How to enable IPv6 on Google Cloud?

Google Cloud has native support for IPv6 but you need to create special VPC network to use IPv6.

As first step open VPC configuration:

Then create new VPC network and fill all fields as on my screenshot. 

Then configure subnet settings. The most important step to specify dual stack. 

Then you need to create default firewall rules to allow ICMPv6. You may notice that we use number 58 instead of ICMPv6 due to following issue:

Then enable ssh:

After these steps you can create new Compute instances in this region. Then you need to open advanced settings and select our new IPv6 enabled network in list:

And finally select dual stack:

The fun thing that you actually can disable IPv4 completely or you can allocate dedicated IPv6 address for machine. 

Pricing for IPv6 addresses even static ones is mostly free:

Sunday 2 April 2023

Building log4cpp 1.1.4rc3 on msys2 environment on Windows Server 2022

 I got following error during my attempts to build lo4cpp in msys2 environment:

"../include/log4cpp/config-MinGW32.h:27:17: error: 'long long long' is too long for GCC"

It can be easily fixed by commenting following code in file include/log4cpp/config-MinGW32.h

// #define int64_t __int64 

I'll try to report this issue to upstream to have it fixed.  

Got this hint from this blog.

Enabling SSH server on Windows 2022 Datacenter edition

After friend's advice I realised that modern Windows versions have bundled SSH server and that's a best way to work with remote Windows platforms as RDP is not as cool as old good console.

First of all we need to install OpenSSH server component, you can do it this way:

  • Start
  • Settings
  • Apps
  • Apps and Features
  • Optional Features
  • Add Feature
  • OpenSSH Server
Then we need to start it. Search for "Services" in search panel and then open it. Looks for OpenSSH SSH server and then click right mouse button and Start it. 

Then open properties and switch startup type from "manual" to "automatic". We need it to launch it automatically on boot.

After that you can connect to this server via normal SSH client from Linux:
Based on this guide.