Dropbear agent key is visible in ssh connection but fail to fetch them with ssh_fetch_identitylist: agent refused operation

Question

I observe some weird behaviour with regard to use of forwarded keys.

I access my router (OpenWRT 22.03) over SSH enabling key forwarding:

ssh -A root@192.168.xx.yy -p 2222

The socket for agent connection is successfully created and has proper rights:

root@gw-bsb:~/.ssh# env | grep SSH
SSH_AUTH_SOCK=/tmp/dropbear-19ec2148/auth-cea63dfa-6
SSH_TTY=/dev/pts/0
root@gw-bsb:~# ls -l  /tmp/dropbear-19ec2148/auth-cea63dfa-6
srwxr-xr-x 1 root root 0 Jan  8 00:55 /tmp/dropbear-19ec2148/auth-cea63dfa-6

Key are also visible to the ssh client:

root@gw-bsb:~/.ssh# ssh-add -v -l
1024 SHA256:xx yy (RSA)
256 SHA256:zz yy (ED25519)
2048 SHA256:xxx iii (RSA)

However client is not able to use keys in real ssh connections:

$ ssh -v git@github.com
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: ssh_fetch_identitylist: agent refused operation

OpenWRT uses a dropbear implementation of ssh client:

root@gw-bsb:~/.ssh# dropbear -V
Dropbear v2022.82

Older versions of OpenWRT didn't have problems with the key forwarding.

How can I fix this?

Answer 1

The problem was the mixed implementation of ssh client/server. OpenWRT used dropbear to serve incoming sshd connections, but OpenSSH ssh client was used to establish further connections from the session. For some incompatibility, the ssh-agen was able to list keys, but ssh client could not do it.

The fix was to remove OpenSSH ssh client, which reverted the shell to use dropbear implementation of ssh client.

Before the fix:

root@gw:~# ssh -V
OpenSSH_8.9p1, OpenSSL 1.1.1q  5 Jul 2022

So, it is not an dropbear client.

Both client ssh packages installed:

root@gw:~# opkg list-installed | grep drop
dropbear - 2022.82-2
root@gw:~# opkg list-installed | grep ssh
openssh-client - 8.9p1-1
openssh-client-utils - 8.9p1-1
openssh-keygen - 8.9p1-1
openssh-sftp-server - 8.9p1-1

After removing openssh-client package:

root@gw:~/router-script# ssh -V
Dropbear v2022.82

And yes, it worked!

root@gw:~# ssh git@github.com
Hi 0anton! You've successfully authenticated, but GitHub does not provide shell access.

Thanks to Matt, author of the great Dropbear ssh package who helped me to find the solution quickly.

https://github.com/mkj/dropbear/issues/213