LinuxQuestions.org - passphrase authentication fails using rsa with OpenSSH 5.1p1 (Slackware 12.2)

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - passphrase authentication fails using rsa with OpenSSH 5.1p1 (Slackware 12.2) (https://www.linuxquestions.org/questions/linux-newbie-8/passphrase-authentication-fails-using-rsa-with-openssh-5-1p1-slackware-12-2-a-765893/)

passphrase authentication fails using rsa with OpenSSH 5.1p1 (Slackware 12.2)

While attempting a rsa key based login, ssh prompts for the passphrase three times and then defaults to password login (at which point I can log in normally).

Using -vvv on the ssh commandline gives "debug2: bad passphrase given, try again..." after each passphrase attempt.

Both server and client are using slackware 12.2.

Here is the client ssh_config:
Port 22
Protocol 2
#RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes
HostbasedAuthentication no
#EnableSSHKeysign yes
StrictHostKeyChecking ask
IdentityFile ~/.ssh/id_rsa

And the server sshd_config:
Port 22
Protocol 2
PasswordAuthentication yes
LogLevel VERBOSE
#LoginGraceTime 2m
PermitRootLogin no
AllowUsers sysfce2
StrictModes yes
MaxAuthTries 6
MaxSessions 4
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
HostbasedAuthentication no
ChallengeResponseAuthentication yes
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
Compression delayed
ClientAliveInterval 600
ClientAliveCountMax 3
UseDNS yes
PidFile /var/run/sshd.pid

I am using "ssh-keygen -t rsa -b 2048 -f id_rsa" to generate the keys and then copying id_rsa.pub to ~/.ssh/authorized_keys (although I have tried dsa and other variations).

What else can I try?

When you ran ssh-keygen, it would have asked you to enter a passphrase.

This is what is failing.
When SSH attempts to use your keyfile ... it needs the passphrase.

If you have forgotten your passphrase you will need to generate a new key.

Check file and directory permissions maybe - ~/.ssh should be 700, private key files and authorized_keys[2] should be 600, both server and client side. And look for clues in the server side logs (/var/log/messages? /var/log/auth? /var/log/sshd?)

I have been changing the permissions to 700/600 on both sides, but I tried again with no success.
One thing that I tried new was to name a copy id_rsa.pub authorized_keys on the client side, but I didn't think that was really necessary. It didn't help either.

Here's what I get in /var/log/messages

Nov 2 01:33:05 utils sshd[7312]: Connection from 192.168.0.101 port 54350
Nov 2 01:33:05 utils sshd[7312]: Failed none for sysfce2 from 192.168.0.101 port 54350 ssh2
Nov 2 01:33:29 utils sshd[7312]: Accepted password for sysfce2 from 192.168.0.101 port 54350 ssh2
Nov 2 01:33:29 utils sshd[7312]: User child is on pid 7315
Nov 2 01:40:39 utils sshd[7315]: Connection closed by 192.168.0.101
Nov 2 01:40:39 utils sshd[7315]: Transferred: sent 134600, received 17136 bytes
Nov 2 01:40:39 utils sshd[7315]: Closing connection to 192.168.0.101 port 54350

There doesn't appear to be any of those other options in /var/log and the only other text file that is being logged is secure (and all it shows is the su commands).

I have tried quite a number of passphrases, even some really complicated ones just to ensure there wasn't a minimum security level set.
I tried even setting the passphrase to none as a test, but the login attempts are rejected.

I guess the upside is I'm getting really familiar with ssh and scp! ;-)

Ok. Lets start from the beginning ...

You used ssh-keygen to create an RSA private and public key (with or without a passphrase).
You copied the public key to the remote host ... into your .ssh directory
Then you tried to connect.
Publickey authentication fails.

Is that correct ?

Here's the output from ssh -vvv 192.168.0.100 if it helps.

OpenSSH_5.1p1, OpenSSL 0.9.8i 15 Sep 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.0.100 [192.168.0.100] port 22.
debug1: Connection established.
debug1: identity file /home/sysfce2/.ssh/id_rsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 125/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/sysfce2/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '192.168.0.100' is known and matches the RSA host key.
debug1: Found key in /home/sysfce2/.ssh/known_hosts:1
debug2: bits set: 521/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/sysfce2/.ssh/id_rsa ((nil))
debug3: input_userauth_banner
*Message Here*
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/sysfce2/.ssh/id_rsa
Enter passphrase for key '/home/sysfce2/.ssh/id_rsa':
debug2: bad passphrase given, try again...
Enter passphrase for key '/home/sysfce2/.ssh/id_rsa':
debug2: bad passphrase given, try again...
Enter passphrase for key '/home/sysfce2/.ssh/id_rsa':
debug2: bad passphrase given, try again...
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
sysfce2@192.168.0.100's password:
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: tty_make_modes: ospeed 38400
debug3: tty_make_modes: ispeed 38400
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Mon Nov 2 01:40:48 2009 from main.localdomain
Linux 2.6.27.7-smp.

My mother wants grandchildren, so I said, "Mom, go for it!"
-- Sue Murphy

sysfce2@Utils:~$ exitdebug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close

logout
Closing SSH Session...debug3: channel 0: will not send data after close
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)

debug3: channel 0: close_fds r -1 w -1 e 6 c -1
Connection to 192.168.0.100 closed.
Transferred: sent 1888, received 3144 bytes, in 5.0 seconds
Bytes per second: sent 374.1, received 623.0
debug1: Exit status 0

Quote:

Originally Posted by dxqcanada (Post 3740610)

Yes, that is correct. EDIT: (into /home/sysfce2/.ssh/)

Your debug output:

debug1: Trying private key: /home/sysfce2/.ssh/id_rsa
Enter passphrase for key '/home/sysfce2/.ssh/id_rsa':
debug2: bad passphrase given, try again...
Enter passphrase for key '/home/sysfce2/.ssh/id_rsa':
debug2: bad passphrase given, try again...
Enter passphrase for key '/home/sysfce2/.ssh/id_rsa':
debug2: bad passphrase given, try again...
debug2: we did not send a packet, disable method

This tells me that you are typing in the wrong Passphrase that is set on your /home/sysfce2/.ssh/id_rsa file.

I would suggest ... on your local machine: delete your id_rsa and id_rsa.pub that you have anywhere
Run "rsa-keygen" without any parameters.
Hit enter when passphrase is requested.
Copy your id_rsa.pub to the remote host.

Ok, now I'm getting no passphrase prompt. Here's the debug output:

OpenSSH_5.1p1, OpenSSL 0.9.8i 15 Sep 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.0.100 [192.168.0.100] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file /home/sysfce2/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/sysfce2/.ssh/id_rsa type 1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 134/256
debug2: bits set: 495/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/sysfce2/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '192.168.0.100' is known and matches the RSA host key.
debug1: Found key in /home/sysfce2/.ssh/known_hosts:1
debug2: bits set: 489/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/sysfce2/.ssh/id_rsa (0x80a1918)
debug3: input_userauth_banner
*Message Here*
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/sysfce2/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

And the messages log:

Nov 2 02:35:33 utils sshd[7655]: Connection from 192.168.0.101 port 53174
Nov 2 02:35:33 utils sshd[7655]: Failed none for sysfce2 from 192.168.0.101 port 53174 ssh2
Nov 2 02:35:33 utils sshd[7655]: Failed publickey for sysfce2 from 192.168.0.101 port 53174 ssh2
Nov 2 02:35:37 utils sshd[7655]: Failed password for sysfce2 from 192.168.0.101 port 53174 ssh2
Nov 2 02:35:39 utils sshd[7655]: Accepted password for sysfce2 from 192.168.0.101 port 53174 ssh2
Nov 2 02:35:39 utils sshd[7655]: User child is on pid 7657

Check your /etc/ssh/ssh_config file

I haven't changed it from the first post.
I have not done anything with the ssh_config on the server side though - is it required?

Opps, forgot about that ... got ahead of myself.

I added in the rest of the debug info from ssh above - looks it didn't like that new rsa key file - I'll try one with a passphrase.

EDIT: Nope, same thing. I guess it must be the parameters to ssh-keygen.

Hmm, did you add your new public key to the remote system's authorized_keys file (and delete the old entry) ?

No, I just overwrote the whole file.