Search code examples
gitnixnixpkgs

Permission denied (publickey) when using Nix's Git

I installed Git via Nix (on Arch Linux).

[gorre@uplink ~]$ uname -a
Linux uplink 4.16.9-1-ARCH #1 SMP PREEMPT Thu May 17 02:10:09 UTC 2018 x86_64 GNU/Linux
[gorre@uplink ~]$ nix-env -q
erlang-20.3.2
git-2.16.3
go-1.10.1
google-drive-ocamlfuse-0.6.25
nix-2.0.2

I have the SSH config file saved in ~/.ssh/config:

[gorre@uplink ~]$ cat ~/.ssh/config 
# Bitbucket.org
Host bitbucket.org
#RSAAuthentication yes
IdentityFile ~/.ssh/bitbucket_id_rsa
IdentitiesOnly yes

I'm 100% sure the private/public key set is correct. I use it all the time in SmartGit, but when I try to use Git via the command-line, I'm getting this error:

[gorre@uplink erlang]$ git pull --rebase
sign_and_send_pubkey: signing failed: agent refused operation
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Is there any way to tell Git (installed via Nix) to refer to my ~/.ssh/config file?

As a proof, this is what happens when I "instruct" the ssh-agent to temporarily use my public key (so you can be certain that I have the correct rights):

[gorre@uplink erlang]$ ssh-agent sh -c 'ssh-add ~/.ssh/bitbucket_id_rsa; git pull --rebase'
Enter passphrase for /home/gorre/.ssh/bitbucket_id_rsa: 
Identity added: /home/gorre/.ssh/bitbucket_id_rsa (/home/gorre/.ssh/bitbucket_id_rsa)
Already up to date.
Current branch master is up to date.

...after that, I'm free to fly for a while:

[gorre@uplink erlang_simple_cache]$ git pull --rebase
Already up to date.
Current branch master is up to date.
Solution

  • It's generally better to debug these as ssh failures rather than git failures. Diagnose them with ssh -v -v [email protected]. You should get the same error, and more diagnostics to work with. But we already have the clue we need, sign_and_send_pubkey: signing failed: agent refused operation. Googling this we find it means the ssh-agent could not access that key.

    IdentityFile only says which key to try, rather than trying all of them. That key still has to be made available. This is why it works after you ssh-add, that makes the key available to your ssh agent. Adding the key via ssh-add is the correct thing to do.

    If it's annoying that you have to remember to add your key every time you login, then you can use a keychain to securely store your ssh key phase-phrases. Then next time you login your keychain will run ssh-add for you using your cached keychain. Keychains are different on every OS. Here's instructions for that on ArchLinux.