6
2
I have a keyfile named KEY, which has KEY and KEY.pub. I upload the pub to authorized_keys, and add the private with
ssh-add /home/user/.ssh/KEY
But when I try to connect with ssh user@host.com, it keeps asking me for the password.
If I generate a key with ssh-keygen and leave the default key name, uploading the pub and loading the private, it does not request a password.
What could the problem be?
Gabriel A. Zorrilla
Posted 2010-09-12T19:27:39.027
Reputation: 3 245
8
With ssh -vvv user@host.com you can get the debug output and it will probably tell you that it can't authenticate with ~/.ssh/id_rsa (ssh's default key file). The answer is to tell ssh which key to use:
ssh -i /home/user/.ssh/KEY user@host.com
You can also add your per-host keyfile to your .ssh/config, then you'll just have to type ssh host.com and user/key are selected automatically.
Example entry for .ssh/config (For more information see man ssh_config):
Host mysshserver ssh.host.com
HostName ssh.host.com
User myusername
IdentityFile ~/.ssh/mykeyfile
Explanation of keyfiles from man ssh:
-i identity_file
Selects a file from which the identity (private key) for RSA or
DSA authentication is read. The default is ~/.ssh/identity for
protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro‐
tocol version 2. Identity files may also be specified on a per-
host basis in the configuration file. It is possible to have
multiple -i options (and multiple identities specified in config‐
uration files).
1
To set up your key files correctly (How-To here), note the following:
In case your host .ssh directory and files don't have the right permissions AND / OR your remote user home directory doesn't have the right permissions, ssh will keep asking for password although it finds the key file.
You can see if your key file / files are being offered using ssh -vvv user@host
Example output:
debug1: Offering DSA public key: /Users/<user>/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
Check both remote user home directory and remote .ssh directory permissions
For example, the permissions should be:
$ls -ld .ssh
drwx------ 2 <owner> <group> 4096 2011-12-29 20:39 .ssh
$ls -ld ~/
drwxr-xr-x 28 <owner> <group> 4096 2011-12-29 20:15 /home/<user>/
eyalto
Posted 2010-09-12T19:27:39.027
Reputation: 11
-1
The article How to set up keyfile-based SSH Logins explains the problem and the solution
when you're on system A and type "ssh username@B", system B will check to see if the key corresponding to your system A "id_dsa" file is among those known to your user (i.e., it is in the
authorized_keysfile in your user's .ssh subdirectory). If it is, it won't ask for a system password, it will ask for the key's associated passphrase, which means that if you've set it up with no passphrase, you're on without having to type anything.
See the article for detailed instructions.
harrymc
Posted 2010-09-12T19:27:39.027
Reputation: 306 093
I'm getting a bad configuration option when adding the ssh -i line:
/home/gabriel/.ssh/config: line 2: Bad configuration option: ssh – Gabriel A. Zorrilla – 2010-09-12T20:48:49.157
@Gabriel: "ssh -i /home/user/.ssh/KEY user@host.com" works only from the commandline. The configfile option is different and I've updated my answer with an example entry for the .ssh/config file. – None – 2010-09-12T21:01:54.810