Adding the same key multiple times gives an error
AndreasLoow opened this issue · comments
It seems that there's a problem with adding the same key multiple times. ssh-pageant doesn't work in the same way as the standard ssh-agent in this respect. Is this the expected behavior? Wouldn't it be better to replicate the standard ssh-agent's behavior here?
For example, starting with a Pageant instance without any keys:
> eval $(ssh-agent)
Agent pid 1200
> ssh-add
Enter passphrase for /home/andreas/.ssh/id_rsa:
Identity added: /home/andreas/.ssh/id_rsa (/home/andreas/.ssh/id_rsa)
> ssh-add
Enter passphrase for /home/andreas/.ssh/id_rsa:
Identity added: /home/andreas/.ssh/id_rsa (/home/andreas/.ssh/id_rsa)
> eval $(ssh-agent -k)
Agent pid 988 killed
> eval $(ssh-pageant)
ssh-pageant pid 7756
> ssh-add
Enter passphrase for /home/andreas/.ssh/id_rsa:
Identity added: /home/andreas/.ssh/id_rsa (/home/andreas/.ssh/id_rsa)
> ssh-add
Enter passphrase for /home/andreas/.ssh/id_rsa:
Could not add identity "/home/andreas/.ssh/id_rsa": agent refused operation
The error is not from ssh-pageant
, which has no idea what keys are stored. It's only a middle-man, and it doesn't look at the messages at all except the length, to see how many bytes to transfer.
Pageant does this at the end of processing SSH2_AGENTC_ADD_IDENTITY
in pageant.c
:
if (add234(ssh2keys, key) == key) {
keylist_update();
PUT_32BIT(ret, 1);
ret[4] = SSH_AGENT_SUCCESS;
plog(logctx, logfn, "reply: SSH_AGENT_SUCCESS");
} else {
key->alg->freekey(key->data);
sfree(key->comment);
sfree(key);
fail_reason = "key already present";
goto failure;
}
You should be able to see that fail_reason
printed in Pageant's log. The message passed back through ssh-pageant
is just SSH_AGENT_FAILURE
, so we have no idea what the problem was.
You'll get the same error if you use PuTTY with agent forwarding, then try to add an existing key with ssh-add
on the remote side. So if want this to behave more like ssh-agent
, you should advocate the change in Pageant itself.