[SOLVED] "Passwordless" ssh key authentication attempt requests password on 2 of 3 recently-configured machines: why?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
"Passwordless" ssh key authentication attempt requests password on 2 of 3 recently-configured machines: why?
I recently, after accidentally overwriting the private key on one of the 3 computers on my LAN, decided to reimplement passwordless, key-pair authentication on these systems. The idea is that each of the three should be able to log in to any of the other two without using username/password credentials, but rather using key pairs. I got it successfully set up and working on one of them (machine1 in the examples below, which runs OpenSSL 1.1.0f, btw). Then I repeated, with appropriate modifications, the set-up process on the other two machines (which, incidentally, run LibreSSL 2.5.5).
Everything works as expected when I ssh from machine1 to either machine2 or machine3: no sort of password prompt. But when I try to ssh from either machine2 or machine3--either into machine1 or into each other--I get a password prompt like the following:
Code:
Enter passphrase for key '/home/user/.ssh/machine2.rsa'
This happens whether I rely on configuration data contained in ~/.ssh/config, or whether I issue a command like
Code:
ssh -i ~/.ssh/machine2.rsa user@machine3
In other words, it looks like the problem machines will not complete the negotiation unless I enter the passwords I set up for their private keys. Same happens from machine3 when trying to ssh into either machine1 or machine2.
I'm trying to figure out what could be going on here. I've checked permissions and have tried re-entering public keys into the relevant authorized_keys files, but without success so far (still get password prompt). I've looked at sshd configuration options and all seems to be fine there. /etc/ssh/ssh_config on all machines looks to be identical (just looking over them by eye--did not run diff on them). Anyone have suggestions on what could be going on here or things I might try, in order to get passwordless negotiation operative? Perhaps I'm bumping into some incompatibilities between LibreSSL and OpenSSL here? I'll post some relevant data excerpts below.
Permissions on relevant files (not identical but very close and all within accepted parameters, as I understand them):
Quote:
user@machine2:~/.ssh$ ls -lh
total 28K
-rw-r--r-- 1 user user 394 Aug 30 13:59 machine1.rsa.pub
-rw------- 1 user user 1.6K Aug 30 17:08 authorized_keys
-rw-r--r-- 1 user user 266 Aug 31 10:02 config
-rw-r--r-- 1 user user 878 Aug 31 10:29 known_hosts
-rw------- 1 user user 1.8K Aug 28 17:16 machine2.rsa
-rw-r--r-- 1 user user 397 Aug 28 17:16 machine2.rsa.pub
-rw-r--r-- 1 user user 394 Mar 6 18:12 machine3.rsa.pub
[user@machine3 .ssh]$ ls -lh
total 28K
-rw-r--r-- 1 user user 394 Aug 30 13:59 machine1.rsa.pub
-rw------- 1 user user 1.2K Aug 31 11:14 authorized_keys
-rw-r--r-- 1 user user 292 Aug 30 17:33 config
-rw-r--r-- 1 user user 689 Jan 26 2017 known_hosts
-rw------- 1 user user 397 Aug 28 17:16 machine2.rsa.pub
-rw------- 1 user user 1.8K Mar 6 18:12 machine3.rsa
-rw-r--r-- 1 user user 394 Mar 6 18:12 machine3.rsa.pub
[user@machine1 .ssh]$ ls -lh
total 28K
-rw------- 1 user users 1.7K Aug 30 13:59 machine1.rsa
-rw-r--r-- 1 user users 394 Aug 30 13:59 machine1.rsa.pub
-rw-r--r-- 1 user users 791 Aug 30 16:39 authorized_keys
-rw-r--r-- 1 user users 303 Aug 30 17:28 config
-rw-r--r-- 1 user users 16K Aug 30 01:18 known_hosts
-rw-r--r-- 1 user users 394 Mar 6 18:12 machine3.rsa.pub
-rw-r--r-- 1 user users 397 Aug 28 17:16 machine2.rsa.pub
Sample session initiated from one of the two problem machines, where password is asked:
Quote:
user@machine2:~/.ssh$ ssh -v machine3
OpenSSH_7.5p1, LibreSSL 2.5.5
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 10: Applying options for machine3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to machine3 [1.2.3.4] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/machine2.rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/machine2.rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5
debug1: match: OpenSSH_7.5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to machine3:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:2n45Achi+4nRAN4+3rhKR2Bwo3R5Xv4ynUZQp7JS3KI
debug1: Host 'machine3' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:4
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user/.ssh/machine2.rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
Enter passphrase for key '/home/user/.ssh/machine2.rsa':
Content of ~/.ssh/config from one of the machines that's not working as needed (~/.ssh/config necessary owing to the fact that I have not used the default naming scheme for private keys):
When you created the keys you entered a passphrase which is a password that locks your private key. In a nutshell if someone gains physical access it will prevent them from accessing remote systems.
You can change the passphrase using the command
ssh-keygen -p
In other words, it looks like the problem machines will not complete the negotiation unless I enter the passwords I set up for their private keys.
Yes, that's how it should work. Perhaps on machine1 you have ssh-agent setup so that you only need to enter the password once per session (or you have an empty passphrase on machine1's private key)? What does running
Thanks for your input, ntubski and michaelk. Running that command on the machine where I can log in without being challenged for a password (the one that runs openssh) I get:
Quote:
Could not open a connection to your authentication agent.
Does that tell us anything? I don't think I set up an empty passphrase on machine1, but that's something I'll have to double-check.
Ok, you've put me onto the right path for identifying the user error here, ntubski and michaelk. This is a matter of user error/faulty memory, since ssh-keygen -yf machine1.rsa simply cat's the key's contents to stdout. To me that means that, contrary to my recollections about creating this key some years ago, I did, in fact, leave the passphrase empty. This has also helped me comprehend something important about the workings of key-negotiated ssh: namely, that it does not, without addition of other aids such as ssh-agent, allow one to forego entering passwords (if they've encrypted their private key with a passphrase). Since I have just now created the keys for machine2 and machine3, I do definitely remember setting passphrases for those. So, unmysterious mystery solved here. Thanks.
You may want to install the keychain package on each machine and create a .keychain directories in each home directory.
Quote:
Keychain is a manager for OpenSSH, ssh.com, Sun SSH and GnuPG agents.
It acts as a front-end to the agents, allowing you to easily have one long-running agent process per system, rather than per login session.
This dramatically reduces the number of times you need to enter your passphrase from once per new login session to once every time your local machine is rebooted.
You may want to install the keychain package on each machine and create a .keychain directories in each home directory.
Thanks for the great suggestion, KenJackson. I'm currently testing it and it looks like this utility could serve my needs really well. Heck, I might even add a passphrase to the key I only recently realized had not been set up with one, if this utility continues to perform as well as it has been so far!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.