passphrase authentication fails using rsa with OpenSSH 5.1p1 (Slackware 12.2)
While attempting a rsa key based login, ssh prompts for the passphrase three times and then defaults to password login (at which point I can log in normally).
Using -vvv on the ssh commandline gives "debug2: bad passphrase given, try again..." after each passphrase attempt. Both server and client are using slackware 12.2. Here is the client ssh_config: Port 22 Protocol 2 #RSAAuthentication yes PubkeyAuthentication yes PasswordAuthentication yes HostbasedAuthentication no #EnableSSHKeysign yes StrictHostKeyChecking ask IdentityFile ~/.ssh/id_rsa And the server sshd_config: Port 22 Protocol 2 PasswordAuthentication yes LogLevel VERBOSE #LoginGraceTime 2m PermitRootLogin no AllowUsers sysfce2 StrictModes yes MaxAuthTries 6 MaxSessions 4 PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys HostbasedAuthentication no ChallengeResponseAuthentication yes AllowAgentForwarding yes AllowTcpForwarding yes GatewayPorts no X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes TCPKeepAlive yes UseLogin no UsePrivilegeSeparation yes PermitUserEnvironment no Compression delayed ClientAliveInterval 600 ClientAliveCountMax 3 UseDNS yes PidFile /var/run/sshd.pid I am using "ssh-keygen -t rsa -b 2048 -f id_rsa" to generate the keys and then copying id_rsa.pub to ~/.ssh/authorized_keys (although I have tried dsa and other variations). What else can I try? |
When you ran ssh-keygen, it would have asked you to enter a passphrase.
This is what is failing. When SSH attempts to use your keyfile ... it needs the passphrase. If you have forgotten your passphrase you will need to generate a new key. |
Check file and directory permissions maybe - ~/.ssh should be 700, private key files and authorized_keys[2] should be 600, both server and client side. And look for clues in the server side logs (/var/log/messages? /var/log/auth? /var/log/sshd?)
|
I have been changing the permissions to 700/600 on both sides, but I tried again with no success.
One thing that I tried new was to name a copy id_rsa.pub authorized_keys on the client side, but I didn't think that was really necessary. It didn't help either. Here's what I get in /var/log/messages Nov 2 01:33:05 utils sshd[7312]: Connection from 192.168.0.101 port 54350 Nov 2 01:33:05 utils sshd[7312]: Failed none for sysfce2 from 192.168.0.101 port 54350 ssh2 Nov 2 01:33:29 utils sshd[7312]: Accepted password for sysfce2 from 192.168.0.101 port 54350 ssh2 Nov 2 01:33:29 utils sshd[7312]: User child is on pid 7315 Nov 2 01:40:39 utils sshd[7315]: Connection closed by 192.168.0.101 Nov 2 01:40:39 utils sshd[7315]: Transferred: sent 134600, received 17136 bytes Nov 2 01:40:39 utils sshd[7315]: Closing connection to 192.168.0.101 port 54350 There doesn't appear to be any of those other options in /var/log and the only other text file that is being logged is secure (and all it shows is the su commands). I have tried quite a number of passphrases, even some really complicated ones just to ensure there wasn't a minimum security level set. I tried even setting the passphrase to none as a test, but the login attempts are rejected. I guess the upside is I'm getting really familiar with ssh and scp! ;-) |
Ok. Lets start from the beginning ...
You used ssh-keygen to create an RSA private and public key (with or without a passphrase). You copied the public key to the remote host ... into your .ssh directory Then you tried to connect. Publickey authentication fails. Is that correct ? |
Here's the output from ssh -vvv 192.168.0.100 if it helps.
OpenSSH_5.1p1, OpenSSL 0.9.8i 15 Sep 2008 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.0.100 [192.168.0.100] port 22. debug1: Connection established. debug1: identity file /home/sysfce2/.ssh/id_rsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1 debug1: match: OpenSSH_5.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 125/256 debug2: bits set: 506/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/sysfce2/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host '192.168.0.100' is known and matches the RSA host key. debug1: Found key in /home/sysfce2/.ssh/known_hosts:1 debug2: bits set: 521/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/sysfce2/.ssh/id_rsa ((nil)) debug3: input_userauth_banner *Message Here* debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/sysfce2/.ssh/id_rsa Enter passphrase for key '/home/sysfce2/.ssh/id_rsa': debug2: bad passphrase given, try again... Enter passphrase for key '/home/sysfce2/.ssh/id_rsa': debug2: bad passphrase given, try again... Enter passphrase for key '/home/sysfce2/.ssh/id_rsa': debug2: bad passphrase given, try again... debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password sysfce2@192.168.0.100's password: debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug2: callback start debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug3: tty_make_modes: ospeed 38400 debug3: tty_make_modes: ispeed 38400 debug2: channel 0: request shell confirm 1 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel_input_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_confirm: type 99 id 0 debug2: shell request accepted on channel 0 Last login: Mon Nov 2 01:40:48 2009 from main.localdomain Linux 2.6.27.7-smp. My mother wants grandchildren, so I said, "Mom, go for it!" -- Sue Murphy sysfce2@Utils:~$ exitdebug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 debug2: channel 0: rcvd eow debug2: channel 0: close_read debug2: channel 0: input open -> closed debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: rcvd close debug3: channel 0: will not send data after close logout Closing SSH Session...debug3: channel 0: will not send data after close debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) debug3: channel 0: close_fds r -1 w -1 e 6 c -1 Connection to 192.168.0.100 closed. Transferred: sent 1888, received 3144 bytes, in 5.0 seconds Bytes per second: sent 374.1, received 623.0 debug1: Exit status 0 |
Quote:
|
Your debug output:
debug1: Trying private key: /home/sysfce2/.ssh/id_rsa Enter passphrase for key '/home/sysfce2/.ssh/id_rsa': debug2: bad passphrase given, try again... Enter passphrase for key '/home/sysfce2/.ssh/id_rsa': debug2: bad passphrase given, try again... Enter passphrase for key '/home/sysfce2/.ssh/id_rsa': debug2: bad passphrase given, try again... debug2: we did not send a packet, disable method This tells me that you are typing in the wrong Passphrase that is set on your /home/sysfce2/.ssh/id_rsa file. I would suggest ... on your local machine: delete your id_rsa and id_rsa.pub that you have anywhere Run "rsa-keygen" without any parameters. Hit enter when passphrase is requested. Copy your id_rsa.pub to the remote host. |
Ok, now I'm getting no passphrase prompt. Here's the debug output:
OpenSSH_5.1p1, OpenSSL 0.9.8i 15 Sep 2008 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.0.100 [192.168.0.100] port 22. debug1: Connection established. debug3: Not a RSA1 key file /home/sysfce2/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/sysfce2/.ssh/id_rsa type 1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1 debug1: match: OpenSSH_5.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 134/256 debug2: bits set: 495/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/sysfce2/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host '192.168.0.100' is known and matches the RSA host key. debug1: Found key in /home/sysfce2/.ssh/known_hosts:1 debug2: bits set: 489/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/sysfce2/.ssh/id_rsa (0x80a1918) debug3: input_userauth_banner *Message Here* debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/sysfce2/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password And the messages log: Nov 2 02:35:33 utils sshd[7655]: Connection from 192.168.0.101 port 53174 Nov 2 02:35:33 utils sshd[7655]: Failed none for sysfce2 from 192.168.0.101 port 53174 ssh2 Nov 2 02:35:33 utils sshd[7655]: Failed publickey for sysfce2 from 192.168.0.101 port 53174 ssh2 Nov 2 02:35:37 utils sshd[7655]: Failed password for sysfce2 from 192.168.0.101 port 53174 ssh2 Nov 2 02:35:39 utils sshd[7655]: Accepted password for sysfce2 from 192.168.0.101 port 53174 ssh2 Nov 2 02:35:39 utils sshd[7655]: User child is on pid 7657 |
Check your /etc/ssh/ssh_config file
|
I haven't changed it from the first post.
I have not done anything with the ssh_config on the server side though - is it required? |
Opps, forgot about that ... got ahead of myself.
|
I added in the rest of the debug info from ssh above - looks it didn't like that new rsa key file - I'll try one with a passphrase.
EDIT: Nope, same thing. I guess it must be the parameters to ssh-keygen. |
Hmm, did you add your new public key to the remote system's authorized_keys file (and delete the old entry) ?
|
No, I just overwrote the whole file.
|
All times are GMT -5. The time now is 05:37 PM. |