I'm setting up a new Ubuntu system (12.04.2 LTS) for Rails development and wanted to use an encrypted SSH private key as per this article. I can set up a standard ssh keypair using the instructions on GitHub and everything works fine, but when I follow the instructions in the first article I can no longer use ssh to log in. Instead, I get the error "Agent admitted failure to sign using the key." I've found a bug (can't post link b/c of low reputation, #328127) that might be related; I'm not being asked for my private key passphrase so the fact that I've modified the private key after creation could be the issue. Attempting to add the new key manually using ssh-add only results in the error being returned twice. I'm not sure how to set $SSH_AUTH_SOCK to zero, otherwise I would try that as well. Any help would be greatly appreciated, thanks!
Answers
Unsetting SSH_AUTH_SOCK is a workaround, but doing so disables ssh-agent, which some people might still want to use.
It seems that ssh-agent can't sign anything with the private key because it doesn't properly decrypt it when automatically adding this key to the keyring.
If one generates the standard id_rsa identity file in ~/.ssh, or stores a private key along with its public key in ~/.ssh, ssh-agent automatically adds this to its keyring. But when doing so, it doesn't prompt for a passphrase, it doesn't ever decrypt the key.
The solution is to add the key manually. Remove all pkcs#8 encrypted keys from the ssh-agent using ssh-add -D and move private+public key files out of ~/.ssh. reboot or ssh-agent -k, then move back your pkcs#8 encrypted PRIVATE key to ~/.ssh. Using ssh-add, one is prompted for the decryption passphrase. ssh-agent can now access the unencrypted private key, and therefore sign stuff with it.
(via Damon Dransfeld)
