Fixing “Agent admitted failure to sign using the key” Error in SSH Key-Based Authentication on Ubuntu


2 views

When configuring SSH key-based authentication on Ubuntu systems, many developers encounter the frustrating "Agent admitted failure to sign using the key" error. This typically occurs after a system reboot or when switching between different Linux environments.

First, verify your SSH agent status:

eval "$(ssh-agent -s)"
ssh-add -l

If you see "The agent has no identities," this confirms the agent isn't properly loading your keys.

  • Key permissions too open (should be 600 for private key)
  • SSH agent not running or not properly initialized
  • GNOME Keyring interference (common on Ubuntu desktop)
  • Missing SSH_AUTH_SOCK environment variable

Create or modify your ~/.bashrc or ~/.zshrc file:

if [ -z "$SSH_AUTH_SOCK" ]; then
   # Start ssh-agent if not running
   eval "$(ssh-agent -s)" > /dev/null
   # Add default key
   ssh-add ~/.ssh/id_rsa 2>/dev/null
fi

For modern Ubuntu versions using systemd:

systemctl --user enable ssh-agent
systemctl --user start ssh-agent

Ensure proper permissions for your SSH directory and keys:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub

If you're using GNOME desktop environment, prevent keyring from managing SSH keys:

sudo -H gnome-keyring-daemon --replace

For a more permanent solution, consider adding this to your shell configuration:

SSH_ENV="$HOME/.ssh/agent-environment"

function start_agent {
    echo "Initializing new SSH agent..."
    /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
    echo succeeded
    chmod 600 "${SSH_ENV}"
    . "${SSH_ENV}" > /dev/null
    ssh-add "$HOME/.ssh/id_rsa"
}

if [ -f "${SSH_ENV}" ]; then
    . "${SSH_ENV}" > /dev/null
    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
        start_agent;
    }
else
    start_agent;
fi

When setting up password-less SSH login on Ubuntu Server, many developers encounter this cryptic error:

Agent admitted failure to sign using the key
Permission denied (publickey).

The error typically occurs when:

  • SSH agent isn't running or isn't properly configured
  • Key permissions are too open (should be 600 for private key)
  • GNOME Keyring is interfering with SSH agent
  • The SSH_AUTH_SOCK environment variable isn't set correctly

Try these solutions in order:

1. Restart SSH Agent Properly

eval ssh-agent -s
ssh-add ~/.ssh/id_rsa

2. Verify Key Permissions

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub

3. Disable GNOME Keyring Interference

Edit ~/.bashrc or ~/.zshrc:

if [ -f "/usr/bin/gnome-keyring-daemon" ]; then
  eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh)
  export SSH_AUTH_SOCK
fi

4. Alternative SSH Agent Configuration

Create ~/.ssh/config with:

Host *
  AddKeysToAgent yes
  IdentityFile ~/.ssh/id_rsa

Use verbose mode to pinpoint the exact failure:

ssh -vvv user@server.example.com

Look for these key messages in output:

debug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:...
debug1: Server accepts key: /home/user/.ssh/id_rsa RSA SHA256:...

Try these nuclear options:

# Completely reset SSH agent
killall ssh-agent
eval $(ssh-agent)
ssh-add ~/.ssh/id_rsa

# Or generate brand new keys
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"