Cannot use ssh keys to push to github

[Iolaum]

Describe the bug
In order to bypass #608 I create a user session after entering the container. However that session cannot push to github properly using ssh keys. If I exit that session I can then push, but I 'll have to re-enter it again to work on the code-base that requires the ability to change group ownership.

Steps how to reproduce the behaviour

# Enter container
$ toolbox enter dev
# Create new user session because of https://github.com/containers/toolbox/issues/608
$ sudo su $USER
$ git push
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
$ exit
$ git push
Enumerating objects: 7, done.
Counting objects: 100% (7/7), done.
Delta compression using up to 4 threads
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 405 bytes | 405.00 KiB/s, done.
Total 4 (delta 3), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (3/3), completed with 3 local objects.
To github.com:Iolaum/fcust.git
   3f5407c..7ead100  main -> main

Expected behaviour
Git push would succeed within a user session inside the container, just like it succeeds on initial session.

Actual behaviour
Git push fails due to access errors within the user session.

Screenshots
If applicable, add screenshots to help explain your problem.

Output of toolbox --version (v0.0.90+)

$ toolbox --version
toolbox version 0.0.96

Toolbox package info (rpm -q toolbox)

$ rpm -q toolbox
warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.
toolbox-0.0.96-1.fc33.x86_64

Output of podman version

$ podman version
Version:      2.1.1
API Version:  2.0.0
Go Version:   go1.15.2
Built:        Wed Oct  7 19:21:20 2020
OS/Arch:      linux/amd64

Podman package info (rpm -q podman)

$ rpm -q podman
warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.

Info about your OS

$ cat /etc/os-release 
NAME=Fedora
VERSION="33.20201107.0 (Silverblue)"
...

[HarryMichal]

Hi @Iolaum! I just tried to reproduce this and I kinda did but I'll need to double check with what you're getting. In my toolboxes when I type sudo su $USER I log into the root user because $USER is blank and then git push naturally fails because I try to push as a different user. And when I explicitly write my user's name, then I can access my ssh keys without any problem.

[Iolaum]

Hello @HarryMichal
Thanks for looking into this.

In my case I am the admin user of my installation. So typing sudo su admin_user doesn't change the user that tries to perform the action. I am surprised that $USER is blank for you, it is not for me. $USER evaluates to the actual user that called the toolbox enter dev command.

In my case assume the following:

# We are already in the toolbox container
$ echo $USER
admin_user

When I use toolbox I don't actually type $USER but admin_user. So what I actually type is

$ sudo su admin_user
$ git push
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists

I also tested and I get the same result when I type sudo su $USER.

Hope that helps.

[debarshiray]

This is strange.

It seems to me that you are trying to push to GitHub by authenticating with your public SSH key and for some reason it's refusing to let you in. What happens if you do:

$ ssh -v git@github.com

GitHub doesn't offer shell access, so it would eventually error out anyway, but it should still say that you successfully authenticated.

If I sudo su $USER inside a Toolbox container, I can still SSH into other servers using my public SSH keys. The SSH agent doesn't work, so it asks me again for my SSH passphrase but that's fixed by setting the SSH_AUTH_SOCK environment variable.

[ I think the USER environment variable is missing for @HarryMichal because of fish. I am not sure if USER is specified in POSIX or is a Bashism. POSIX does mention it in passing, and the old POSIX shell implementation of Toolbox used it a lot without any complaints from ShellCheck. ]

[Iolaum]

I tried the ssh -v git@github.com command twice, first after entering the toolbox container and then after doing sudo su $USER. The first worked as intended, and I got asked for the key passphrase. The second failed. I am adding the logs below:

$ toolbox enter dev
⬢[user1@toolbox ~]$ ssh -v git@github.com
OpenSSH_8.4p1, OpenSSL 1.1.1g FIPS  21 Apr 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to github.com [140.82.121.4] port 22.
debug1: Connection established.
debug1: identity file /var/home/user1/.ssh/id_rsa type -1
debug1: identity file /var/home/user1/.ssh/id_rsa-cert type -1
debug1: identity file /var/home/user1/.ssh/id_dsa type -1
debug1: identity file /var/home/user1/.ssh/id_dsa-cert type -1
debug1: identity file /var/home/user1/.ssh/id_ecdsa type -1
debug1: identity file /var/home/user1/.ssh/id_ecdsa-cert type -1
debug1: identity file /var/home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /var/home/user1/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /var/home/user1/.ssh/id_ed25519 type -1
debug1: identity file /var/home/user1/.ssh/id_ed25519-cert type -1
debug1: identity file /var/home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /var/home/user1/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /var/home/user1/.ssh/id_xmss type -1
debug1: identity file /var/home/user1/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version babeld-8cd15329
debug1: no match: babeld-8cd15329
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /var/home/user1/.ssh/known_hosts:2
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: olduser@localhostname RSA SHA256:LAQMSp8OQ/exmph7Y3pqeuzdZXGgr7NkpiUiGUv2/tE agent
debug1: Will attempt key: myemail@provider.com RSA SHA256:Hqho9GvXO4h2gEwLHf6MBjBkvHkrHPTT/ljDaZQfZFw agent
debug1: Will attempt key: /var/home/user1/.ssh/id_rsa 
debug1: Will attempt key: /var/home/user1/.ssh/id_dsa 
debug1: Will attempt key: /var/home/user1/.ssh/id_ecdsa 
debug1: Will attempt key: /var/home/user1/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /var/home/user1/.ssh/id_ed25519 
debug1: Will attempt key: /var/home/user1/.ssh/id_ed25519_sk 
debug1: Will attempt key: /var/home/user1/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: olduser@localhostname RSA SHA256:LAQMSp8OQ/exmph7Y3pqeuzdZXGgr7NkpiUiGUv2/tE agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: myemail@provider.com RSA SHA256:Hqho9GvXO4h2gEwLHf6MBjBkvHkrHPTT/ljDaZQfZFw agent
debug1: Server accepts key: myemail@provider.com RSA SHA256:Hqho9GvXO4h2gEwLHf6MBjBkvHkrHPTT/ljDaZQfZFw agent
debug1: Authentication succeeded (publickey).
Authenticated to github.com ([140.82.121.4]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = C.UTF-8
PTY allocation request failed on channel 0
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
Hi Iolaum! You've successfully authenticated, but GitHub does not provide shell access.
debug1: channel 0: free: client-session, nchannels 1
Connection to github.com closed.
Transferred: sent 4196, received 2812 bytes, in 0.3 seconds
Bytes per second: sent 15530.1, received 10407.7
debug1: Exit status 1
⬢[user1@toolbox ~]$ sudo su $USER
⬢[user1@toolbox ~]$ ssh -v git@github.com
OpenSSH_8.4p1, OpenSSL 1.1.1g FIPS  21 Apr 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to github.com [140.82.121.4] port 22.
debug1: Connection established.
debug1: identity file /var/home/user1/.ssh/id_rsa type -1
debug1: identity file /var/home/user1/.ssh/id_rsa-cert type -1
debug1: identity file /var/home/user1/.ssh/id_dsa type -1
debug1: identity file /var/home/user1/.ssh/id_dsa-cert type -1
debug1: identity file /var/home/user1/.ssh/id_ecdsa type -1
debug1: identity file /var/home/user1/.ssh/id_ecdsa-cert type -1
debug1: identity file /var/home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /var/home/user1/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /var/home/user1/.ssh/id_ed25519 type -1
debug1: identity file /var/home/user1/.ssh/id_ed25519-cert type -1
debug1: identity file /var/home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /var/home/user1/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /var/home/user1/.ssh/id_xmss type -1
debug1: identity file /var/home/user1/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version babeld-8cd15329
debug1: no match: babeld-8cd15329
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /var/home/user1/.ssh/known_hosts:2
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /var/home/user1/.ssh/id_rsa 
debug1: Will attempt key: /var/home/user1/.ssh/id_dsa 
debug1: Will attempt key: /var/home/user1/.ssh/id_ecdsa 
debug1: Will attempt key: /var/home/user1/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /var/home/user1/.ssh/id_ed25519 
debug1: Will attempt key: /var/home/user1/.ssh/id_ed25519_sk 
debug1: Will attempt key: /var/home/user1/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /var/home/user1/.ssh/id_rsa
debug1: Trying private key: /var/home/user1/.ssh/id_dsa
debug1: Trying private key: /var/home/user1/.ssh/id_ecdsa
debug1: Trying private key: /var/home/user1/.ssh/id_ecdsa_sk
debug1: Trying private key: /var/home/user1/.ssh/id_ed25519
debug1: Trying private key: /var/home/user1/.ssh/id_ed25519_sk
debug1: Trying private key: /var/home/user1/.ssh/id_xmss
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

P.S. In the logs have substituted

• my actual user name with user1
• my actual email with myemail@provider.com

From watching the logs I see that in the first attempt it finds the two ssh keys I have in my ~/.ssh folder and attempts to connect with them. In the second it doesn't
try to use them, even though ls -la ~/.ssh/ does show the keys in question.

[debarshiray]

Thanks for the logs!

I see that the entries with myemail@provider.com (and olduser@localhostname) are missing from the non-working case, but the logs still mention /var/home/user1/.ssh/id_*. I am trying to figure out why's that.

In the meantime, does setting SSH_AUTH_SOCK solve your problem?

[Iolaum]

I tested SSH_AUTH_SOCK and it fixed the issue!

$ SSH_AUTH_SOCK=/run/user/1000/keyring/ssh; export SSH_AUTH_SOCK
$ ssh -v git@github.com
OpenSSH_8.4p1, OpenSSL 1.1.1g FIPS  21 Apr 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to github.com [140.82.121.4] port 22.
debug1: Connection established.
debug1: identity file /var/home/user1/.ssh/id_rsa type -1
debug1: identity file /var/home/user1/.ssh/id_rsa-cert type -1
debug1: identity file /var/home/user1/.ssh/id_dsa type -1
debug1: identity file /var/home/user1/.ssh/id_dsa-cert type -1
debug1: identity file /var/home/user1/.ssh/id_ecdsa type -1
debug1: identity file /var/home/user1/.ssh/id_ecdsa-cert type -1
debug1: identity file /var/home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /var/home/user1/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /var/home/user1/.ssh/id_ed25519 type -1
debug1: identity file /var/home/user1/.ssh/id_ed25519-cert type -1
debug1: identity file /var/home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /var/home/user1/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /var/home/user1/.ssh/id_xmss type -1
debug1: identity file /var/home/user1/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version babeld-c863b32e
debug1: no match: babeld-c863b32e
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /var/home/user1/.ssh/known_hosts:2
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: olduser@localhostname RSA SHA256:LAQMSp8OQ/exmph7Y3pqeuzdZXGgr7NkpiUiGUv2/tE agent
debug1: Will attempt key: myemail@provider.com RSA SHA256:Hqho9GvXO4h2gEwLHf6MBjBkvHkrHPTT/ljDaZQfZFw agent
debug1: Will attempt key: /var/home/user1/.ssh/id_rsa 
debug1: Will attempt key: /var/home/user1/.ssh/id_dsa 
debug1: Will attempt key: /var/home/user1/.ssh/id_ecdsa 
debug1: Will attempt key: /var/home/user1/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /var/home/user1/.ssh/id_ed25519 
debug1: Will attempt key: /var/home/user1/.ssh/id_ed25519_sk 
debug1: Will attempt key: /var/home/user1/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: olduser@localhostname RSA SHA256:LAQMSp8OQ/exmph7Y3pqeuzdZXGgr7NkpiUiGUv2/tE agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: myemail@provider.com RSA SHA256:Hqho9GvXO4h2gEwLHf6MBjBkvHkrHPTT/ljDaZQfZFw agent
debug1: Server accepts key: myemail@provider.com RSA SHA256:Hqho9GvXO4h2gEwLHf6MBjBkvHkrHPTT/ljDaZQfZFw agent
debug1: Authentication succeeded (publickey).
Authenticated to github.com ([140.82.121.4]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = C.UTF-8
PTY allocation request failed on channel 0
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
Hi Iolaum! You've successfully authenticated, but GitHub does not provide shell access.
debug1: channel 0: free: client-session, nchannels 1
Connection to github.com closed.
Transferred: sent 4196, received 2812 bytes, in 0.3 seconds
Bytes per second: sent 15028.0, received 10071.2
debug1: Exit status 1

Some additional information.

My ssh folder does contain any of the default key names. There are two keys there with non standard names.
I am guessing that the code tries to find them from some hardcoded entries even though they are not there.

Moreover since setting SSH_AUTH_SOCK fixed the issue I noticed that the first toolbox session
has a lot more environment variables compared to the second. Adding them here in case they help
for debugging:

$ toolbox enter dev
$ env | wc -l
38
⬢[user1@toolbox ~]$ env
SHELL=/bin/bash
COLORTERM=truecolor
HISTCONTROL=ignoredups
XDG_MENU_PREFIX=gnome-
HISTSIZE=1000
HOSTNAME=
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
DISTTAG=f33container
DESKTOP_SESSION=gnome
GPG_TTY=/dev/pts/1
NAME=Fedora
PWD=/var/home/user1
LOGNAME=user1
XDG_SESSION_DESKTOP=gnome
XDG_SESSION_TYPE=wayland
TOOLBOX_PATH=/usr/bin/toolbox
XAUTHORITY=/run/user/1000/.mutter-Xwaylandauth.QNBLU0
container=oci
HOME=/var/home/user1
LANG=C.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.m4a=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.oga=01;36:*.opus=01;36:*.spx=01;36:*.xspf=01;36:
XDG_CURRENT_DESKTOP=GNOME
FGC=f33
VTE_VERSION=6201
WAYLAND_DISPLAY=wayland-0
TERM=xterm-256color
LESSOPEN=||/usr/bin/lesspipe.sh %s
USER=user1
containers=podman
DISPLAY=:0
SHLVL=1
XDG_RUNTIME_DIR=/run/user/1000
XDG_DATA_DIRS=/var/home/user1/.local/share/flatpak/exports/share:/var/lib/flatpak/exports/share:/usr/local/share:/usr/share
PATH=/var/home/user1/.local/bin:/var/home/user1/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
VERSION=33 (Container Image)
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
MAIL=/var/spool/mail/user1
_=/usr/bin/env
⬢[user1@toolbox ~]$ sudo su user1
⬢[user1@toolbox ~]$ env | wc -l
21
⬢[user1@toolbox ~]$ env
SHELL=/bin/bash
COLORTERM=truecolor
SUDO_GID=1000
HOSTNAME=
HISTSIZE=1000
SUDO_COMMAND=/usr/bin/su user1
SUDO_USER=user1
PWD=/var/home/user1
LOGNAME=user1
HOME=/var/home/user1
LANG=C.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.m4a=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.oga=01;36:*.opus=01;36:*.spx=01;36:*.xspf=01;36:
TERM=xterm-256color
LESSOPEN=||/usr/bin/lesspipe.sh %s
USER=user1
DISPLAY=:0
SHLVL=1
PATH=/var/home/user1/.local/bin:/var/home/user1/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin
SUDO_UID=1000
MAIL=/var/spool/mail/user1
_=/usr/bin/env

I m not sure if this is intended, however the lack of SSH_AUTH_SOCK in the second session looks to be the cause of this issue.

P.S. Also note that this difference may be why sudo su $USER works as workaround for #608

[debarshiray]

Yes, I think the SSH_AUTH_SOCK environment variable explains this particular problem. The ssh client seems to be looking at the SSH agent for the private keys, and not having the path to the agent's socket is blocking it from doing so. I am not exactly sure why it's doing this, but a brief reading of the ssh sources code agrees with the overall assessment.

[debarshiray]

Closing.

Thanks for stopping by, and helping debug this. Much appreciated.

[Iolaum]

You 're welcome.

Btw, I am not sure I understand. Will there be a PR to change the current behavior? Ie will there be changes to ensure that SSH_AUTH_SOCK is also created in a new user session inside a toolbox container? Or is that not in scope? Or will such a PR be tracked elsewhere?