LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   RSA key copy is not working (https://www.linuxquestions.org/questions/linux-newbie-8/rsa-key-copy-is-not-working-4175654533/)

amandaventura 05-24-2019 01:02 PM

RSA key copy is not working
 
Hi everyone,
I must access a remote host (in port 2022) without password requirement. So I ran 'ssh-keygen' in my personal computer and copied the id_rsa.pub to the authorized_keys inside ~.ssh folder of the remote host. I also ran 'ssh-copy-id -i remote-host', but I could not login without password. How can I solve it?


The login with '-v' argument prints:

.
.
....some bla bla bla here...
.
debug1: Host '[myhost]:2022' is known and matches the ECDSA host key.
debug1: Found key in /home/myuser/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/medea/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/medea/.ssh/id_dsa
debug1: Trying private key: /home/medea/.ssh/id_ecdsa
debug1: Trying private key: /home/medea/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:

Turbocapitalist 05-24-2019 01:22 PM

Something about the public key or how it is stored on the remote host is off.

Check the permissions on the remote host for your home directory, your .ssh directory, and the authorized_keys file. No other accounts should be able to write to any of them. Also, the public key should be in the authorized_keys file there whole and unbroken on a single line.

If that does not work, then try again from the beginning:

Code:

ssh-keygen -f ~/.ssh/remote-host-rsa -t rsa -b 3072
ssh-copy-id -i ~/.ssh/remote-host-rsa remotehost.example.com

ssh-add ~/.ssh/remote-host-rsa
ssh -i ~/.ssh/remote-host-rsa amandaventura@remotehost.example.com

See "man ssh-keygen" and scroll down to the options you have used, such as -f, -t, and -b.

RSA is kind of on the way out though. So if you do not need RSA specifically, say for hardware token compatibility, then you should be using a more advanced algorithm like Ed25519:

Code:

# do once for setup
ssh-keygen -f ~/.ssh/remote-host-ed25519 -t ed25519
ssh-copy-id -i ~/.ssh/remote-host-ed25519 remotehost.example.com

# do once per desktop session
ssh-add ~/.ssh/remote-host-ed25519

# log in this way
ssh -i ~/.ssh/remote-host-ed25519 amandaventura@remotehost.example.com

When you have things the way you like it, you can add some of those options into the client configuration file as a shortcut. See "man ssh_config" about that.

camorri 05-24-2019 01:30 PM

Some things to check. The permissions on the .ssh directory and the authorized keys file are critical. They will not work if incorrect. They should be set to 700 for the .ssh directory and 600 for the authorized keys file.

Your post seems to be saying you copied the generated RAS key twice. Could you clarify?

The ssh-copy-id script is used to copy the client key to the remote server, and add it to the authorized keys file. It is normal to get a prompt for a password when you copy a key to a remote ssh server.

Other things to look at, is the authorized keys file in your remote /home/yourname/.ssh or is this file some place else on the remote server?

amandaventura 05-28-2019 08:52 AM

I already verified the permissions and in the remote-host, they are 700 for .ssh folder and 600 for authorized_keys. And .ssh is inside the computer in /home/users/amandaventura(my user)/.ssh. I also tried to generate ed key and log in as Turbocapitalist suggested but it still requests my password every time. Camorri, I generated the key once and it was added twice in athorized_keys file, but now I tried to generate the keys from another computer following Turbocapitalist method, still does not work...

scasey 05-28-2019 09:10 AM

Quote:

Originally Posted by amandaventura (Post 5999737)
I already verified the permissions and in the remote-host, they are 700 for .ssh folder and 600 for authorized_keys. And .ssh is inside the computer in /home/users/amandaventura(my user)/.ssh.

Hmm. Your OP said
Code:

debug1: Trying private key: /home/medea/.ssh/id_dsa
debug1: Trying private key: /home/medea/.ssh/id_ecdsa
debug1: Trying private key: /home/medea/.ssh/id_ed25519

...but you're saying here that you checked for the key in /home/users/amandaventura/.ssh
Is that an oops in obfuscation here, or are you not using the same user to login that you did to generate and copy?

amandaventura 05-28-2019 09:14 AM

/home/medea/.ssh is in my personal computer and home/users/amandaventura(is my user)/.ssh is the location in remote-host

camorri 05-28-2019 09:20 AM

I'm going to suggest you start sshd on the server in debug mode. See the man page for information. You have to stop it, assuming it is running normally. Start it with the -d option. Messages are dumped to standard out.

Then try to connect. Have a look through the output, usually the console on the server. You should get a clew to why its failing.

scasey 05-28-2019 09:23 AM

Quote:

Originally Posted by amandaventura (Post 5999743)
/home/medea/.ssh is in my personal computer and home/users/amandaventura(is my user)/.ssh is the location in remote-host

Ah. Did you specify the amandaventura@remotehost when you attempted to ssh to it?
I'm guessing not, since it's looking for your local username on the remote server.

Please post the exact ssh command that's failing. You can/should obfuscate the server name.

amandaventura 05-28-2019 09:41 AM

Scasey, I used
Quote:

ssh-copy-id -i ~/.ssh/remote-host-rsa -p 2022 amandaventura@myhost.com
and the authorized_keys was updated with my key, so I think the command is correct. I usually log in as
Quote:

ssh -p 2022 amandaventura@myhost.com
. Camorri, can I start the debug process without admin rights?

amandaventura 05-28-2019 09:45 AM

There is another thing that I just remembered, This usual process used to work BEFORE transfer some files using rsync instead of ssh. After the upload of files, I could not log in anymore without password and I am trying to fix it. Maybe there is a correlation...it is not obvious for me...

Here is the ssh_config file

# $OpenBSD: ssh_config,v 2.30 2016/02/20 23:06:23 sobrado Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# SGI
StrictHostKeyChecking no
UsePrivilegedPort no
#ForwardX11 no

scasey 05-28-2019 11:02 AM

Quote:

Originally Posted by amandaventura (Post 5999753)
Scasey, I used and the authorized_keys was updated with my key, so I think the command is correct. I usually log in as

The authorized_keys in /home/amandaventura/.ssh, right?
Then I wonder why, in your OP, it's looking for the key in /home/medea/.ssh ??

rsync can use ssh for file transfer...which "some files" were transfered?

Note that ssh_config is for the clent, not the server. Is that ssh_config on the server? It wouldn't be used here.
What's in sshd_config on the server?

michaelk 05-28-2019 01:46 PM

Quote:

debug1: Offering RSA public key: /home/medea/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/medea/.ssh/id_dsa
debug1: Trying private key: /home/medea/.ssh/id_ecdsa
debug1: Trying private key: /home/medea/.ssh/id_ed25519
Which means a id_rsa key exists and was sent to the server but was not accepted. Since the key was not accepted ssh client will automatically check to see any any of the other default key files exist and if so will try them. If your private key file is not a default file name as below you need to specify it on the command line or in your ~/.ssh/config file.

Although you did indicated your were using ida_rsa/id_rsa.pub in your first post you also posted a similar command below which means that the public key in the servers authorized key file might be messed up. It might be worth deleting it and starting over.

Quote:

ssh-copy-id -i ~/.ssh/remote-host-rsa -p 2022 amandaventura@myhost.com
ssh-copy-id defaults to id_rsa.pub unless you specify another key via -i. Make sure you specify the public and not the private key, it isn't obvious from your post that you are specifying the public key.

Nevermind...

amandaventura 05-28-2019 01:54 PM

Thank you all, I found the answer! Somehow using RSYNC for transfer changed the permission of my_user folder in remote-host!
So I used in the remote host:
Quote:

chmod R 775 amandaventura
And it worked! My permission on .ssh and authorized_keys on the remote host were right, as well as id_rsa.pub and .ssh in the local computer but the folder amandaventura in the remote computer was the answer!
If I use RSYNC again, I should remember this.


All times are GMT -5. The time now is 11:36 PM.