LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-24-2019, 02:02 PM   #1
amandaventura
LQ Newbie
 
Registered: May 2019
Posts: 11

Rep: Reputation: Disabled
RSA key copy is not working


Hi everyone,
I must access a remote host (in port 2022) without password requirement. So I ran 'ssh-keygen' in my personal computer and copied the id_rsa.pub to the authorized_keys inside ~.ssh folder of the remote host. I also ran 'ssh-copy-id -i remote-host', but I could not login without password. How can I solve it?


The login with '-v' argument prints:

.
.
....some bla bla bla here...
.
debug1: Host '[myhost]:2022' is known and matches the ECDSA host key.
debug1: Found key in /home/myuser/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/medea/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/medea/.ssh/id_dsa
debug1: Trying private key: /home/medea/.ssh/id_ecdsa
debug1: Trying private key: /home/medea/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
 
Old 05-24-2019, 02:22 PM   #2
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,469
Blog Entries: 3

Rep: Reputation: 2230Reputation: 2230Reputation: 2230Reputation: 2230Reputation: 2230Reputation: 2230Reputation: 2230Reputation: 2230Reputation: 2230Reputation: 2230Reputation: 2230
Something about the public key or how it is stored on the remote host is off.

Check the permissions on the remote host for your home directory, your .ssh directory, and the authorized_keys file. No other accounts should be able to write to any of them. Also, the public key should be in the authorized_keys file there whole and unbroken on a single line.

If that does not work, then try again from the beginning:

Code:
ssh-keygen -f ~/.ssh/remote-host-rsa -t rsa -b 3072
ssh-copy-id -i ~/.ssh/remote-host-rsa remotehost.example.com

ssh-add ~/.ssh/remote-host-rsa
ssh -i ~/.ssh/remote-host-rsa amandaventura@remotehost.example.com
See "man ssh-keygen" and scroll down to the options you have used, such as -f, -t, and -b.

RSA is kind of on the way out though. So if you do not need RSA specifically, say for hardware token compatibility, then you should be using a more advanced algorithm like Ed25519:

Code:
# do once for setup
ssh-keygen -f ~/.ssh/remote-host-ed25519 -t ed25519
ssh-copy-id -i ~/.ssh/remote-host-ed25519 remotehost.example.com

# do once per desktop session
ssh-add ~/.ssh/remote-host-ed25519

# log in this way
ssh -i ~/.ssh/remote-host-ed25519 amandaventura@remotehost.example.com
When you have things the way you like it, you can add some of those options into the client configuration file as a shortcut. See "man ssh_config" about that.
 
Old 05-24-2019, 02:30 PM   #3
camorri
LQ Veteran
 
Registered: Nov 2002
Location: Somewhere inside 9.9 million sq. km. Canada
Distribution: Slackware 14.1, 14.2, current, slackware-arm-currnet
Posts: 5,458

Rep: Reputation: 628Reputation: 628Reputation: 628Reputation: 628Reputation: 628Reputation: 628
Some things to check. The permissions on the .ssh directory and the authorized keys file are critical. They will not work if incorrect. They should be set to 700 for the .ssh directory and 600 for the authorized keys file.

Your post seems to be saying you copied the generated RAS key twice. Could you clarify?

The ssh-copy-id script is used to copy the client key to the remote server, and add it to the authorized keys file. It is normal to get a prompt for a password when you copy a key to a remote ssh server.

Other things to look at, is the authorized keys file in your remote /home/yourname/.ssh or is this file some place else on the remote server?
 
Old 05-28-2019, 09:52 AM   #4
amandaventura
LQ Newbie
 
Registered: May 2019
Posts: 11

Original Poster
Rep: Reputation: Disabled
I already verified the permissions and in the remote-host, they are 700 for .ssh folder and 600 for authorized_keys. And .ssh is inside the computer in /home/users/amandaventura(my user)/.ssh. I also tried to generate ed key and log in as Turbocapitalist suggested but it still requests my password every time. Camorri, I generated the key once and it was added twice in athorized_keys file, but now I tried to generate the keys from another computer following Turbocapitalist method, still does not work...
 
Old 05-28-2019, 10:10 AM   #5
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,384

Rep: Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553
Quote:
Originally Posted by amandaventura View Post
I already verified the permissions and in the remote-host, they are 700 for .ssh folder and 600 for authorized_keys. And .ssh is inside the computer in /home/users/amandaventura(my user)/.ssh.
Hmm. Your OP said
Code:
debug1: Trying private key: /home/medea/.ssh/id_dsa
debug1: Trying private key: /home/medea/.ssh/id_ecdsa
debug1: Trying private key: /home/medea/.ssh/id_ed25519
...but you're saying here that you checked for the key in /home/users/amandaventura/.ssh
Is that an oops in obfuscation here, or are you not using the same user to login that you did to generate and copy?
 
Old 05-28-2019, 10:14 AM   #6
amandaventura
LQ Newbie
 
Registered: May 2019
Posts: 11

Original Poster
Rep: Reputation: Disabled
/home/medea/.ssh is in my personal computer and home/users/amandaventura(is my user)/.ssh is the location in remote-host
 
Old 05-28-2019, 10:20 AM   #7
camorri
LQ Veteran
 
Registered: Nov 2002
Location: Somewhere inside 9.9 million sq. km. Canada
Distribution: Slackware 14.1, 14.2, current, slackware-arm-currnet
Posts: 5,458

Rep: Reputation: 628Reputation: 628Reputation: 628Reputation: 628Reputation: 628Reputation: 628
I'm going to suggest you start sshd on the server in debug mode. See the man page for information. You have to stop it, assuming it is running normally. Start it with the -d option. Messages are dumped to standard out.

Then try to connect. Have a look through the output, usually the console on the server. You should get a clew to why its failing.
 
Old 05-28-2019, 10:23 AM   #8
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,384

Rep: Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553
Quote:
Originally Posted by amandaventura View Post
/home/medea/.ssh is in my personal computer and home/users/amandaventura(is my user)/.ssh is the location in remote-host
Ah. Did you specify the amandaventura@remotehost when you attempted to ssh to it?
I'm guessing not, since it's looking for your local username on the remote server.

Please post the exact ssh command that's failing. You can/should obfuscate the server name.

Last edited by scasey; 05-28-2019 at 10:26 AM.
 
Old 05-28-2019, 10:41 AM   #9
amandaventura
LQ Newbie
 
Registered: May 2019
Posts: 11

Original Poster
Rep: Reputation: Disabled
Scasey, I used
Quote:
ssh-copy-id -i ~/.ssh/remote-host-rsa -p 2022 amandaventura@myhost.com
and the authorized_keys was updated with my key, so I think the command is correct. I usually log in as
Quote:
ssh -p 2022 amandaventura@myhost.com
. Camorri, can I start the debug process without admin rights?
 
Old 05-28-2019, 10:45 AM   #10
amandaventura
LQ Newbie
 
Registered: May 2019
Posts: 11

Original Poster
Rep: Reputation: Disabled
There is another thing that I just remembered, This usual process used to work BEFORE transfer some files using rsync instead of ssh. After the upload of files, I could not log in anymore without password and I am trying to fix it. Maybe there is a correlation...it is not obvious for me...

Here is the ssh_config file

# $OpenBSD: ssh_config,v 2.30 2016/02/20 23:06:23 sobrado Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# SGI
StrictHostKeyChecking no
UsePrivilegedPort no
#ForwardX11 no

Last edited by amandaventura; 05-28-2019 at 10:51 AM.
 
Old 05-28-2019, 12:02 PM   #11
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,384

Rep: Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553
Quote:
Originally Posted by amandaventura View Post
Scasey, I used and the authorized_keys was updated with my key, so I think the command is correct. I usually log in as
The authorized_keys in /home/amandaventura/.ssh, right?
Then I wonder why, in your OP, it's looking for the key in /home/medea/.ssh ??

rsync can use ssh for file transfer...which "some files" were transfered?

Note that ssh_config is for the clent, not the server. Is that ssh_config on the server? It wouldn't be used here.
What's in sshd_config on the server?
 
Old 05-28-2019, 02:46 PM   #12
michaelk
Moderator
 
Registered: Aug 2002
Posts: 19,551

Rep: Reputation: 3144Reputation: 3144Reputation: 3144Reputation: 3144Reputation: 3144Reputation: 3144Reputation: 3144Reputation: 3144Reputation: 3144Reputation: 3144Reputation: 3144
Quote:
debug1: Offering RSA public key: /home/medea/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/medea/.ssh/id_dsa
debug1: Trying private key: /home/medea/.ssh/id_ecdsa
debug1: Trying private key: /home/medea/.ssh/id_ed25519
Which means a id_rsa key exists and was sent to the server but was not accepted. Since the key was not accepted ssh client will automatically check to see any any of the other default key files exist and if so will try them. If your private key file is not a default file name as below you need to specify it on the command line or in your ~/.ssh/config file.

Although you did indicated your were using ida_rsa/id_rsa.pub in your first post you also posted a similar command below which means that the public key in the servers authorized key file might be messed up. It might be worth deleting it and starting over.

Quote:
ssh-copy-id -i ~/.ssh/remote-host-rsa -p 2022 amandaventura@myhost.com
ssh-copy-id defaults to id_rsa.pub unless you specify another key via -i. Make sure you specify the public and not the private key, it isn't obvious from your post that you are specifying the public key.

Nevermind...

Last edited by michaelk; 05-28-2019 at 02:56 PM.
 
Old 05-28-2019, 02:54 PM   #13
amandaventura
LQ Newbie
 
Registered: May 2019
Posts: 11

Original Poster
Rep: Reputation: Disabled
Thank you all, I found the answer! Somehow using RSYNC for transfer changed the permission of my_user folder in remote-host!
So I used in the remote host:
Quote:
chmod R 775 amandaventura
And it worked! My permission on .ssh and authorized_keys on the remote host were right, as well as id_rsa.pub and .ssh in the local computer but the folder amandaventura in the remote computer was the answer!
If I use RSYNC again, I should remember this.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How long does it take RSA key generate? What my key then? postcd Linux - General 2 05-06-2014 01:57 PM
RSA SecurID: RSA Web Agent, integration of RSA auth page Linux_Kidd General 1 08-28-2013 06:59 PM
Any other method of generating pub key attenuation other than rsa key sanjay87 Linux - Server 1 03-29-2012 10:21 AM
Putty/SSH login failed when using RSA public key: 'Server refused our key' itsecx@gmail.com Linux - Server 10 10-04-2010 02:19 PM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 08:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration