Bug 435985

Summary: VNC via SSH tunnel always asks for password even though public key authentication is set-up
Product: [Applications] krdc Reporter: Jan Keith Darunday <jkcdarunday>
Component: VNCAssignee: Urs Wolfer <uwolfer>
Status: RESOLVED NOT A BUG    
Severity: normal CC: aacid, ctrlaltca, cure1245, jose, mail
Priority: NOR    
Version First Reported In: 22.04.0   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Video showing that I can SSH using public key but krdc won't

Description Jan Keith Darunday 2021-04-21 03:21:18 UTC 
SUMMARY
When connecting to a VNC server via SSH tunnel, KRDC always asks for password authentication (PW auth is already discouraged and disabled by default in most distros) even though I'm using public key authentication.

STEPS TO REPRODUCE
1. Create connection to an SSH server that has a running VNC server by enabling SSH tunneling
2. Connect

OBSERVED RESULT
* A password popup appears
* Pressing okay with any password throws: "Error authenticating with password: Access denied for 'password'. Authentication that can continue: publickey"
* Pressing cancel cancels the connection


EXPECTED RESULT
It should not ask for a password and continue if my publickey is authorized to connect.

SOFTWARE/OS VERSIONS
Operating System: Arch Linux
KDE Plasma Version: 5.21.4
KDE Frameworks Version: 5.81.0
Qt Version: 5.15.2
Kernel Version: 5.11.15-zen1-2-zen
OS Type: 64-bit
Graphics Platform: X11
Processors: 8 × Intel® Core™ i7-8565U CPU @ 1.80GHz
Memory: 15.4 GiB of RAM
Graphics Processor: Mesa Intel® UHD Graphics 620

ADDITIONAL INFORMATION
Same result even if I check/uncheck options like "Don't copy passwords from supported password managers" and "Remember password (KWallet)"
Comment 1 Albert Astals Cid 2021-04-21 21:31:36 UTC 
Could you describe your setup a bit better?

I just tried this and it works just fine.

My setup:
 * rdc host has .ssh/authorized_keys with my public key on it
 * krdc from guest connects, no password asked
Comment 2 Jan Keith Darunday 2021-04-22 17:36:47 UTC 
Created attachment 137801 [details]
Video showing that I can SSH using public key but krdc won't

Hi,

I have the same setup. My local ~/.ssh/id_rsa.pub is in the authorized_keys of the remote server so I'm currently able to do passwordless SSH.

I've attached a video showing that I can do passwordless SSH using the SSH command while KRDC still asks for a password when connecting to the same server.

Note that I added vpnserver.test.com in my /etc/hosts so that I don't have to disclose the server IP but connecting via IP and the correct hostname shows the same error.

I'm also able to do local tunneling via ssh -R 5901:127.0.0.1:5901 and successfully connect to localhost:5901 using KRDC so I can confirm that there isn't an issue with the tunneling.
Comment 3 Christopher Ure 2022-05-19 15:45:09 UTC 
Can verify that this issue also occurs on the latest Manjaro package with version 22.04.0.
Comment 4 mail 2022-09-12 10:34:07 UTC 
I can also confirm this bug.

Is there maybe something we miss that makes KRDC not use the user's ssh key (located in .ssh/id_rsa.pub)?
Comment 5 jose 2025-02-10 20:39:59 UTC 
This still seems to be an issue on Arch with version 24.12.2, I am unable to connect to VNC via a public key alone.
Comment 6 Fabio 2025-02-11 13:31:55 UTC 
This seems to affect Arch And Manjaro users.
Do you have ssh-agent running and configured?
Comment 7 jose 2025-02-11 16:34:18 UTC 
(In reply to Fabio from comment #6)
> This seems to affect Arch And Manjaro users.
> Do you have ssh-agent running and configured?

I did not have ssh-agent running. I ran it and added my key to the cache with ssh-add (as described https://wiki.archlinux.org/title/SSH_keys#SSH_agents). Now it's asking for the ssh password (where there isn't one for that key) with the following error:
'''
Error authenticating with password: Access denied for 'password'. Authentication that can continue: publickey
'''
Comment 8 jose 2025-02-11 16:36:58 UTC 
If I run krdc from the terminal I see this error:

KRDC: "Error authenticating with password: Access denied for 'password'. Authentication that can continue: publickey"
Comment 9 Fabio 2025-02-11 17:18:21 UTC 
If you see the "Error authenticating with password: Access denied for 'password'." error it means that pubkey authentication failed or was not attempted at all.
ssh-agent should run from xprofile, profile.d or similar to set the necessary env variables. You can check if they are set correctly, eg. like this:
---
# env | grep SSH
SSH_AGENT_PID=3125
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXhHgNxc/agent.3124
---
If they are missing, it won't work unless you run krdc "inside" ssh-agent: "ssh-agent krdc"
Comment 10 jose 2025-02-11 18:13:27 UTC 
(In reply to Fabio from comment #9)
> If you see the "Error authenticating with password: Access denied for
> 'password'." error it means that pubkey authentication failed or was not
> attempted at all.
> ssh-agent should run from xprofile, profile.d or similar to set the
> necessary env variables. You can check if they are set correctly, eg. like
> this:
> ---
> # env | grep SSH
> SSH_AGENT_PID=3125
> SSH_AUTH_SOCK=/tmp/ssh-XXXXXXhHgNxc/agent.3124
> ---
> If they are missing, it won't work unless you run krdc "inside" ssh-agent:
> "ssh-agent krdc"

checking the env the variables are not set, as expected since I need to set it up properly, which will try next.  However when I try ssh-agent krdc I still get the same error.  At this point I will assume I still dont have it set up correct and will try that route first.
Comment 11 jose 2025-02-11 18:54:23 UTC 
ok so the issue is that I was not running ssh-agent correctly, once I set it up correctly krdc works as expected! Thank you
Comment 12 Fabio 2025-02-12 06:41:11 UTC 
Thanks for letting us know it's working now.