github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5006] git: ssh push fails when using a yubikey #2852

New issue

Open

opened 2026-05-05 09:30:21 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 09:30:21 -06:00

Owner

Originally created by @WhyNotHugo on GitHub (Mar 4, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5006

Description

When using a yubikey-backed ssh key (e.g.: sk-ssh-ed25519@openssh.com), any git operation (git pull, git push) fails.

Removing /usr/local/bin/ssh makes it work again.

Steps to Reproduce

git push

Expected behavior

Should prompt to tap the yubikey and work.

Actual behavior

Confirm user presence for key ED25519-SK SHA256:ueyQm+GEaoaDoJFepjK0mxhz3MQcwU/dPsR27q7RjKA
sign_and_send_pubkey: signing failed for ED25519-SK "/home/hugo/.ssh/id_gitlab": device not found
git@gitlab.com: Permission denied (publickey,keyboard-interactive).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

This is the same message that's displayed with the yubikey is unplugged.

Behavior without a profile

firejail --noprofile /usr/bin/git pull works fine.

Additional context

Only applicable when using a hardware-backed ssh key. I think git's sandbox is too strict for this.

Environment

➜ uname -sro
Linux 5.16.11-arch1-1 GNU/Linux
➜ firejail --version
firejail version 0.9.68rc2

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

➜ LC_ALL=C firejail /usr/bin/git pull
Confirm user presence for key ED25519-SK SHA256:ueyQm+GEaoaDoJFepjK0mxhz3MQcwU/dPsR27q7RjKA
sign_and_send_pubkey: signing failed for ED25519-SK "/home/hugo/.ssh/id_gitlab": device not found
git@gitlab.com: Permission denied (publickey,keyboard-interactive).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Output of LC_ALL=C firejail --debug /path/to/program

 There was an error creating your Issue: body is too long (maximum is 65536 characters).

Originally created by @WhyNotHugo on GitHub (Mar 4, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5006 ### Description When using a yubikey-backed ssh key (e.g.: `sk-ssh-ed25519@openssh.com`), any git operation (`git pull`, `git push`) fails. Removing `/usr/local/bin/ssh` makes it work again. ### Steps to Reproduce `git push` ### Expected behavior Should prompt to tap the yubikey and work. ### Actual behavior ``` Confirm user presence for key ED25519-SK SHA256:ueyQm+GEaoaDoJFepjK0mxhz3MQcwU/dPsR27q7RjKA sign_and_send_pubkey: signing failed for ED25519-SK "/home/hugo/.ssh/id_gitlab": device not found git@gitlab.com: Permission denied (publickey,keyboard-interactive). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ``` This is the same message that's displayed with the yubikey is unplugged. ### Behavior without a profile `firejail --noprofile /usr/bin/git pull` works fine. ### Additional context Only applicable when using a hardware-backed ssh key. I think git's sandbox is too strict for this. ### Environment ``` ➜ uname -sro Linux 5.16.11-arch1-1 GNU/Linux ➜ firejail --version firejail version 0.9.68rc2 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` ➜ LC_ALL=C firejail /usr/bin/git pull Confirm user presence for key ED25519-SK SHA256:ueyQm+GEaoaDoJFepjK0mxhz3MQcwU/dPsR27q7RjKA sign_and_send_pubkey: signing failed for ED25519-SK "/home/hugo/.ssh/id_gitlab": device not found git@gitlab.com: Permission denied (publickey,keyboard-interactive). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` There was an error creating your Issue: body is too long (maximum is 65536 characters). ``` </p> </details>

gitea-mirror added the

needinfo

label 2026-05-05 09:30:21 -06:00

gitea-mirror commented

2026-05-05 09:30:23 -06:00

Author

Owner

@ghost commented on GitHub (Mar 4, 2022):

Probably caused by the nou2f in the git profile. Try adding ignore nou2f in a git.local (either per-user in ~/.config/firejail or system-wide in /etc/firejail).

@ghost commented on GitHub (Mar 4, 2022): Probably caused by the `nou2f` in the git profile. Try adding `ignore nou2f` in a git.local (either per-user in ~/.config/firejail or system-wide in /etc/firejail).

gitea-mirror commented

2026-05-05 09:30:24 -06:00

Author

Owner

@WhyNotHugo commented on GitHub (Mar 4, 2022):

That didn't work:

$ git pull
Confirm user presence for key ED25519-SK SHA256:wTjW+5ifDmZ74rjo1kW44Nw/qE2Lea4aGtgqQ9qgwc8
sign_and_send_pubkey: signing failed for ED25519-SK "/home/hugo/.ssh/id_sourcehut": device not found
git@git.sr.ht: Permission denied (publickey,keyboard-interactive).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

$ cat /etc/firejail/git.local
ignore nou2f

Oddly, removing sudo rm /usr/local/bin/ssh also serves as a workaround.

@WhyNotHugo commented on GitHub (Mar 4, 2022): That didn't work: ``` $ git pull Confirm user presence for key ED25519-SK SHA256:wTjW+5ifDmZ74rjo1kW44Nw/qE2Lea4aGtgqQ9qgwc8 sign_and_send_pubkey: signing failed for ED25519-SK "/home/hugo/.ssh/id_sourcehut": device not found git@git.sr.ht: Permission denied (publickey,keyboard-interactive). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. $ cat /etc/firejail/git.local ignore nou2f ``` Oddly, removing `sudo rm /usr/local/bin/ssh` also serves as a workaround.

gitea-mirror commented

2026-05-05 09:30:25 -06:00

Author

Owner

@WhyNotHugo commented on GitHub (Mar 4, 2022):

Oh, there's no file in /usr/local/bin/git, even after running firecfg.

@WhyNotHugo commented on GitHub (Mar 4, 2022): Oh, there's no file in `/usr/local/bin/git`, even after running `firecfg`.

gitea-mirror commented

2026-05-05 09:30:26 -06:00

Author

Owner

@ghost commented on GitHub (Mar 4, 2022):

Oddly, removing sudo rm /usr/local/bin/ssh also serves as a workaround.

Oh, there's no file in /usr/local/bin/git, even after running firecfg.

You can see the list of applications that are 'automatically' firejailed through firecfg in /etc/firejail/firecfg.config. And as you noticed, git isn't in there, ssh is. That means you will have to create a symlink in /usr/local/bin for git if you want it sandboxed.

By removing /usr/local/bin/ssh you've disabled Firefail from running SSH in a sandbox. Although it makes things work, it's not really a workaround, or at least not a very secure one. If you have some time and feel up to it, I'd suggest (re-)enabling git + ssh firejails, try the git.local again and report back. It might need additional options added or removed, but we can help with that. BTW, Arch Linux repo package of firejail is up to 0.9.68-1, make sure you're fully updated.

@ghost commented on GitHub (Mar 4, 2022): > Oddly, removing sudo rm /usr/local/bin/ssh also serves as a workaround. > Oh, there's no file in /usr/local/bin/git, even after running firecfg. You can see the list of applications that are 'automatically' firejailed through firecfg in /etc/firejail/firecfg.config. And as you noticed, git isn't in there, ssh is. That means you will have to create a symlink in /usr/local/bin for git if you want it sandboxed. By removing /usr/local/bin/ssh you've disabled Firefail from running SSH in a sandbox. Although it makes things work, it's not really a workaround, or at least not a very secure one. If you have some time and feel up to it, I'd suggest (re-)enabling git + ssh firejails, try the git.local again and report back. It might need additional options added or removed, but we can help with that. BTW, Arch Linux repo [package](https://archlinux.org/packages/community/x86_64/firejail/) of firejail is up to 0.9.68-1, make sure you're fully updated.

gitea-mirror commented

2026-05-05 09:30:27 -06:00

Author

Owner

@kmk3 commented on GitHub (Mar 4, 2022):

@WhyNotHugo commented on Mar 4:

Description

When using a yubikey-backed ssh key (e.g.: sk-ssh-ed25519@openssh.com), any
git operation (git pull, git push) fails.

Removing /usr/local/bin/ssh makes it work again.

Does it work with ignore private-dev on ssh.local?

If so, the cause is likely the same as:

#4928

In which case maybe we could add a comment about it to ssh.profile.

@kmk3 commented on GitHub (Mar 4, 2022): @WhyNotHugo commented [on Mar 4](https://github.com/netblue30/firejail/issues/5006#issue-1159612402): > ### Description > > When using a yubikey-backed ssh key (e.g.: `sk-ssh-ed25519@openssh.com`), any > git operation (`git pull`, `git push`) fails. > > Removing `/usr/local/bin/ssh` makes it work again. Does it work with `ignore private-dev` on ssh.local? If so, the cause is likely the same as: * #4928 In which case maybe we could add a comment about it to ssh.profile.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2852

No description provided.

Rows
Columns