7

Here are the steps I did on my local computer:

ssh-keygen -t rsa
cat ~/.ssh/id_rsa | ssh root@remotehost.com -p 1234 "cat > ~/.ssh/authorized_keys"

When I do a ssh root@remotehost.com -p 1234 it still asks for the password :o

root@remotehost.com's password:

Why is it so? I already added it to the authorized keys but it still asks for the password. sshd_config:

Port 1234
Protocol 2
SyslogFacility AUTHPRIV
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Here's the result with -vvv:

$ ssh root@remotehost.com -p 1234 -vvv
OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
debug2: ssh_connect: needpriv 0
debug1: Connecting to remotehost.com [12.123.123.123] port 1234.
debug1: Connection established.
debug1: identity file /c/Documents and Settings/user/.ssh/identity type -1
debug3: Not a RSA1 key file /c/Documents and Settings/user/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /c/Documents and Settings/user/.ssh/id_rsa type 1
debug1: identity file /c/Documents and Settings/user/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.6
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g
roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g
roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12
8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij
ndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12
8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij
ndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 135/256
debug2: bits set: 519/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: put_host_port: [12.123.123.123]:1234
debug3: put_host_port: [remotehost.com]:1234
debug3: check_host_in_hostfile: filename /c/Documents and Settings/user/.ss
h/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /c/Documents and Settings/user/.ss
h/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '[remotehost.com]:1234' is known and matches the RSA host key.
debug1: Found key in /c/Documents and Settings/user/.ssh/known_hosts:1
debug2: bits set: 515/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /c/Documents and Settings/user/.ssh/identity (0x0)
debug2: key: /c/Documents and Settings/user/.ssh/id_rsa (0xa01a418)
debug2: key: /c/Documents and Settings/user/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mi
c,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-m
ic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /c/Documents and Settings/user/.ssh/identity
debug3: no such identity: /c/Documents and Settings/user/.ssh/identity
debug1: Offering public key: /c/Documents and Settings/user/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mi
c,password
debug1: Trying private key: /c/Documents and Settings/user/.ssh/id_dsa
debug3: no such identity: /c/Documents and Settings/user/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root@remotehost.com's password:
Jürgen Paul
  • 1,265
  • 4
  • 15
  • 22
  • could you try again with `-vvv` and post the results back? This would make the command to connect: 'ssh root@remotehost.com -p 1234 -vvv' – Bart De Vos Jun 29 '12 at 23:04
  • Did you remember to do `ssh-add ~/.ssh/id_rsa` on the local computer? – Thor Jun 29 '12 at 23:17
  • @Thor `Could not open a connection to your authentication agent.` – Jürgen Paul Jun 29 '12 at 23:34
  • Run `ssh-agent > ~/.ssh/agent.vars` and `source ~/.ssh/agent-vars`, (alternatively use [`keychain`](http://www.gentoo.org/doc/en/keychain-guide.xml)) then `ssh-add` will work. – Thor Jun 29 '12 at 23:43
  • file `agent-vars` doesn't exist. I'm using Windows xp and msysgit bash as the command line. – Jürgen Paul Jun 29 '12 at 23:46

4 Answers4

12

~/.ssh must be chmod 700 and ~/.ssh/authorized_keys must be chmod 600. Both must be owned by you.

SSH will silently fall back on password login if those files/directories are more permissive although, from memory, it does log something about a "bad mode".

Also, check that ~/.ssh/authorized_keys actually contains something. I have a feeling that command may have created an empty file. The one I think you want is:

cat ~/.ssh/id_rsa.pub | ssh root@remotehost.com -p 1234 "cat - > ~/.ssh/authorized_keys"
Ladadadada
  • 26,337
  • 7
  • 59
  • 90
  • I tried to do [these commands](http://pastebin.com/iDF3T3F9), but it still asks for the password. I also did turn `UsePAM yes` to no. – Jürgen Paul Jun 29 '12 at 23:35
  • 600 is for the paranoid, ssh is happy with 644 – user9517 Jun 29 '12 at 23:36
  • I just included the `-vvv` result as well, I hope it helps resolve the problem. – Jürgen Paul Jun 29 '12 at 23:40
  • 6
    The permissions things are all true, but the root cause is uploading the private rather than public key. All the multiple incorrect lines will need to be stripped out of authorized_keys – Bron Gondwana Jun 30 '12 at 18:36
  • @Ladadadada It's been a while and I still can't get it to work, I chmodded the files and `chown -R root:root ~/.sssh`. Here's the debug output: http://pastebin.com/GnZZDY1e – Jürgen Paul Jul 14 '12 at 13:36
  • I also can assure that the content of `~/.ssh/id_rsa.pub` == `~/.ssh/authorized_keys` – Jürgen Paul Jul 14 '12 at 13:43
7

As Ladadadada noted, you have:

cat ~/.ssh/id_rsa | ssh root@remotehost.com -p 1234 "cat > ~/.ssh/authorized_keys"

This is copying out your private/public key pair to the authorized_keys file. Your authorized_keys file on the server should not have the private key. I would suggest the following:

  • Delete the authorized_keys file on the remote system entirely.
  • Temporarily change the permissions to .ssh to make it writeable if it hasn't already been done.
  • On your local system, navigate to the .ssh directory and ensure you have an id_rsa and id_rsa.pub file. the ssh-keygen command should have created both files for you
  • Execute the command Ladadadada provided:

cat ~/.ssh/id_rsa.pub | ssh root@remotehost.com -p 1234 "cat - > ~/.ssh/authorized_keys"

Note: this should write your public key to the authorized_keys file. Double check to make sure your local copy of id_rsa.pub matches the key in the authorized_keys file.

The content of your id_rsa.pub key will look similar to (clipped a portion for brevity):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLrS9t0lEdxk52v8Jt/EJMNm9::::clipped:::::wu1WzNCvrkUDnqS/aQZJ4rR4J+GoMLxP2NT you@somehostname

This key, id_rsa.pub, should match the ssh key in the known_hosts file.

edited: fixed an error in a filename. I upvoted Ladadadada's answer because he caught the issue but I don't think it was picked up on by the OP

colson
  • 116
  • 2
  • That's a good spot. Even after the changes I suggested, uploading the private key instead of the public key still won't work. – Ladadadada Jun 30 '12 at 20:40
1

TL;DR

On Client side:

  • open configuration file /etc/ssh/ssh_config;
  • here look for PreferredAuthentications;
  • make sure password comes after publickey and not viceversa

In my case password was written before publickey, so ssh would prompt me for password even though I had copied my pub_key onto server.

This problem can be found out easily using verbose:

ssh -v compute@compute1 ... ... debug1: Authentications that can continue: publickey,password debug1: Next authentication method: password

As you can see password is chosen before trying to use publickey.

Edit /etc/ssh/ssh_config by moving password after publickey

PreferredAuthentications keyboard-interactive,publickey,password,hostbased,gssapi-with-mi

Now you can login without being prompt for pwd.

StefTN
  • 111
  • 3
0

Based on the output I think you need to check on the format of your key. Check out these sites if you're unsure:

http://the.earth.li/~sgtatham/putty/0.60/htmldoc/Chapter8.html

http://www.ietf.org/rfc/rfc4716.txt

ceskib
  • 761
  • 1
  • 9
  • 24