2

I've used ssh before and password access from my new asus k53by laptop with a fresh 11.10 install to dev server works fine.

I wanted to set up key access for added security and ease of scripting and I did the following:

paul@paul-K53BY:~/.ssh$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/paul/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/paul/.ssh/id_rsa.
Your public key has been saved in /home/paul/.ssh/id_rsa.pub.
The key fingerprint is:
7e:91:b2:2b:a9:bc:f8:11:d1:aa:ea:41:c5:1a:39:ff paul@paul-K53BY
paul@paul-K53BY:~/.ssh$ ssh-copy-id -i id_rsa.pub 10.1.1.28
paul@10.1.1.28's password:

Now try logging into the machine, with "ssh '10.1.1.28'", and check in:

~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

paul@paul-K53BY:~/.ssh$ ssh 10.1.1.28
paul@10.1.1.28's password:

  • Everything seemed to work but I still needed to use the password. I also wanted a convenient handle for the server (without the hassle of DNS) so I set up ~/.ssh/config as follows:

    Host dev

HostName 10.1.1.28
PasswordAuthentication no
PubkeyAuthentication yes

  • ssh dev then failed:

    paul@paul-K53BY:~/.ssh$ ssh dev
Permission denied (publickey,password).

  • Switching password back on showed that ssh dev works fine still with the password.

    paul@paul-K53BY:~/.ssh$ ssh -vvv dev
OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
debug1: Reading configuration data /home/paul/.ssh/config
debug1: Applying options for dev
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.1.1.28 [10.1.1.28] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/paul/.ssh/id_rsa" as a RSA1 public key
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/paul/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/paul/.ssh/id_rsa-cert type -1
debug1: identity file /home/paul/.ssh/id_dsa type -1
debug1: identity file /home/paul/.ssh/id_dsa-cert type -1
debug1: identity file /home/paul/.ssh/id_ecdsa type -1
debug1: identity file /home/paul/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu7
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "10.1.1.28" from file "/home/paul/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/paul/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 123/256
debug2: bits set: 500/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA eb:f9:56:b8:ae:b0:de:27:92:06:8f:ac:c1:43:e4:64
debug3: load_hostkeys: loading entries for host "10.1.1.28" from file "/home/paul/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/paul/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host '10.1.1.28' is known and matches the RSA host key.
debug1: Found key in /home/paul/.ssh/known_hosts:1
debug2: bits set: 511/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/paul/.ssh/id_rsa (0xb9434eb0)
debug2: key: /home/paul/.ssh/id_dsa ((nil))
debug2: key: /home/paul/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/paul/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/paul/.ssh/id_dsa
debug3: no such identity: /home/paul/.ssh/id_dsa
debug1: Trying private key: /home/paul/.ssh/id_ecdsa
debug3: no such identity: /home/paul/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password).

All that output is telling me something but I'm not sure what. What have I done wrong and why can't I get this ssh by key to work?

There seem to be quite a few questions here about 11.10 ssh/key access issues but I could not see anything I could try anywhere that might solve this for me.

Jorge Castro
  • 71,754
Whippy
  • 751
  • 1
  • 7
  • 19

1 Answers1

2

Firstly,

debug3: Incorrect RSA1 identifier

debug3: Could not load "/home/paul/.ssh/id_rsa" as a RSA1 public key

debug2: key_type_from_name: unknown key type '-----BEGIN'

A public key does not start with the '-----BEGIN' words. Those are the words found in a private key.

Secondly, are you sure that this worked:

paul@paul-K53BY:~/.ssh$ ssh-copy-id -i id_rsa.pub 10.1.1.28

try:

ssh-copy-id 10.1.1.28

(this will default to ~/.ssh/id_rsa.pub. I am not sure if the complete path is required or not).

Thirdly, is your home folder on the server encrypted? If it is, then you need to physically log in on the server and keep this session open at all times. Then, when you ssh from your machine to the server, the ssh keys will be automatically used

Nitin Venkatesh
  • 22,221
rigved
  • 2,357
  • Tried ssh-copy-id 10.1.1.28 and it made no difference. I'm still always prompted for the password :( The information about the key is interesting though. It sounds like that might be the issue although I just copy pasted the standard instructions so I don't know what can have happened. – Whippy Dec 17 '11 at 22:51
  • 1
    is your home folder on the server encrypted? if it is, then you need to physically log in on the server and keep this session open at all times. Then, when you ssh from your machine to the server, the ssh keys will be automatically used. – rigved Dec 18 '11 at 07:51
  • @Whippy Does this answer solve your issues? If yes, please do accept the answer or if you already have solved your problem, add that as an answer and accept it. Thanks :) – Nitin Venkatesh Feb 29 '12 at 15:42
  • The home folder is not encrypted on either machine. – Whippy Apr 18 '12 at 05:54