public key always asking for password and keyphrase

I am trying to SSH from a NAS to a webserver using a public key. NAS user is 'root' and webserver user is 'backup'

I have all permissions set correctly and when I debug the SSH connection I get: (last little bit of the debug)

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /root/.ssh/id_dsa.pub
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/root/.ssh/id_dsa.pub':

I am using the command:

ssh -v -i /root/.ssh/id_dsa.pub backup@webserver.com

The fact that it is asking for a passphrase is a good sign surely, but I do not want it to prompt for this or a password (which comes afterwards if I press 'return' on the passphrase)

Andrew Atkinson

Posted 2012-11-20T21:30:11.427

Reputation: 305

Answers

Thats because your private key is encrypted...

You can add your key to an ssh agent using ssh-add or remove the passphrase (and with it the encryption) from the key using the following command:

ssh-keygen -p -f /root/.ssh/id_dsa -N ''

EDIT

Oh I just realized that you try to use your public key to authenticate... You want to use the private key there:

ssh -v -i /root/.ssh/id_dsa backup@webserver.com

And just to make absolutely sure, the content of the file id_dsa.pub goes into ~backup/.ssh/authorized_keys on the webserver. You can use the following command to do that automatically

ssh-copy-id -i /root/.ssh/id_rsa.pub backup@webserver.com

andrekeller

Posted 2012-11-20T21:30:11.427

Reputation: 806

Fact that I was using my pub to authenticate (a stupid mistake) was the issue. Thanks! – Qix - MONICA WAS MISTREATED – 2014-08-07T17:55:53.730

still get the issue. It did work and granted me with 'your identification has been saved with the new passphrase'. but then still asks for a passphrase the next time I try and login. I'm not sure what else to try... – Andrew Atkinson – 2012-11-20T21:52:32.173

check my updated answer... maybe that helps... – andrekeller – 2012-11-20T22:15:48.163

thank you, it seems I was possibly trying to compare the public key to the public key... I did not need to remove the passphrase – Andrew Atkinson – 2012-11-20T22:25:40.993

This happened to me when the private key I had was not in OpenSSH format.

I originally generated my key on windows using PuttyGen and was getting bounced with this same thing.

I was able to fix it by loading the key in PuttyGen and clicking "Conversions" to get it to OpenSSH format.

Locane

Posted 2012-11-20T21:30:11.427

Reputation: 311

There are a few things.

Primarily, if the KEY is asking for a password, the key was generated with it. Secondly, if the system is prompting for a password after, then the key is not authenticating. Meaning, you will need to regenerate your SSH key (or change it as suggested by @rbtux) and fix the authorized_keys files.

ssh-keygen -t {dsa|rsa} -b {1024|2048|4096} -C "optional comment" -f id_examplekey

The items in curly brackets are options, type and bit size (To state the obvious: dsa > rsa, 4096 > 1024 - in terms of "security").

Then you need to add the public key (.pub) to the authorized_keys and authorized_keys2 files (it's a common misconception to say the .pub is for local use, however it is intended to be compared against) So in the server's .ssh folder.

$ cat id_examplekey.pub >> authorized_keys{,2}

Then on your end, you should make sure the key permissions are chmod 600 id_example and to alleviate typing all that, you can set up the config file: ~/.ssh/config on your local box (that is a skeleton, you can customize this a ton):

Host example.com
    User WHATEVERNAME
    IdentityFile ~/.ssh/id_examplekey

nerdwaller

Posted 2012-11-20T21:30:11.427

Reputation: 13 366

You write "Primarily, if the KEY is asking for a password, the key was generated with it. " <-- yeah though I just tested what the questioner did, so, doing -i with public key $ ssh user@comp -i ~/.ssh/id_rsa.pub and it said wrong permissions and private key will be ignored .. so I changed permissions to 600 like id_rsa would be, and it asked for a passphrase. So, indeed, it will then ask for a passphrase if you specify the public key, even though both the public key and the private key were not generated with a passphrase – barlop – 2014-10-13T05:09:57.037

but the section in the debug which reads: debug1: Server accepts key: pkalg ssh-dss blen 433 does this not mean that the key has been accepted? I have recreated again with no passphrase, still the same? - i am out of ideas? Thank you – Andrew Atkinson – 2012-11-20T22:09:45.053

@AndrewAtkinson Looks like you got it below. You need the private key on the from machine (local, client, whatever) and the public.pub key added to the authorized_keys files. My other suggestions should help save you time :D Good luck! – nerdwaller – 2012-11-20T22:27:20.240

For me since the key itself was encrypted, I followed the following steps:

Start ssh-agent: $ ssh-agent bash
Add standard identity key to the key manager: $ ssh-add
If you want to add a different key, then: $ ssh-add /location/of/key

To inspect at any time, the list of currently loaded keys:

$ ssh-add -l

More details can be obtained from this link

Sibi

Posted 2012-11-20T21:30:11.427

Reputation: 691

It could be because you are using a DSA pubkey which is disabled by default in OpenSSH v7.

If you cannot change the key pair a possible workaround will be to tell your SSH daemon at webserver.com to accept those Key types, by updating /etc/ssh/sshd_config or equivalent adding the following line

PubkeyAcceptedKeyTypes=+ssh-dss

And then restarting the service

/etc/init.d/ssh restart                     # or equivalent

mosh442

Posted 2012-11-20T21:30:11.427

Reputation: 111

try https://wiki.gentoo.org/wiki/Keychain

It is kind of a wrap on ssh-agent and ssh-add

Pros: No need to input the password repeatedly as long as you don't reboot. Could be used in crontab.

It might be help.

Gon

Posted 2012-11-20T21:30:11.427

Reputation: 111

On Mac OSX you can add your private key to the keychain using the command:

ssh-add -K /path/to/private_key

If your private key is stored at ~/.ssh and is named id_rsa:

ssh-add -K ~/.ssh/id_rsa

You will then be prompted for your password, which will be stored in your keychain.

Groot

Posted 2012-11-20T21:30:11.427

Reputation: 101

What do I need to do on Linux client if Mac client works? – bbaassssiiee – 2017-03-07T14:24:00.877