Public Key authentication fails while using the -i parameter on ssh command

Question

I have to do public key based authentication on two Linux servers.

Machine 2 (192.168.3.132)

username: vfx_30
home dir: /home/vfx_30
ssh keys:
- /home/vfx_30/.ssh/id_rsa
- /home/vfx_30/.ssh/id_rsa.pub

Machine 1 (192.168.3.131)

vfx_30 user's public key file location is /root/keys/vfx_30.pub (machine2 /home/vfx_30/.ssh/id_rsa.pub is copied here)

Not able to login using the public key from machine 1 to machine 2 using the command below:

ssh -v -i /root/keys/vfx_30.pub vfx_30@192.168.3.132

Please note that:

There is no user named vfx_30 on machine 1 / authorized_keys is not used here
Using the -i parameter to pass the public key.
Running this command as root user on machine 1

/etc/ssh/sshd_config:

RSAAuthentication yes
PubkeyAuthentication yes

Verbose log on machine 1

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.3.132 [192.168.3.132] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/keys/vfx_30.pub type 1
debug1: identity file /root/keys/vfx_30.pub-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.3.132' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Next authentication method: publickey
debug1: Offering public key: /root/keys/vfx_30.pub
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: password
vfx_30@192.168.3.132's password:

Audit log on machine 2 (`/var/log/audit/audit.log`)

type=CRYPTO_KEY_USER msg=audit(1407837882.656:3259): user pid=27704 uid=0 auid=0 ses=171 msg='op=destroy kind=server fp=e9:69:4f:ad:06:d9:cc:7e:bb:0a:7e:57:03:ea:24:a1 direction=? spid=27704 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.3.131 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1407837882.656:3260): user pid=27704 uid=0 auid=0 ses=171 msg='op=destroy kind=server fp=56:f6:8d:7e:f3:33:c3:6c:f1:52:49:57:3a:9b:ed:d7 direction=? spid=27704 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.3.131 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1407837882.656:3261): user pid=27703 uid=0 auid=0 ses=171 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 spid=27704 suid=74 rport=59764 laddr=192.168.3.132 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.3.131 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1407837882.656:3262): user pid=27703 uid=0 auid=0 ses=171 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 spid=27704 suid=74 rport=59764 laddr=192.168.3.132 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.3.131 terminal=? res=success'
type=USER_AUTH msg=audit(1407837882.704:3263): user pid=27703 uid=0 auid=0 ses=171 msg='op=pubkey acct="vfx_30" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.131 terminal=ssh res=failed'

I dont have such file on machine 2 for user vfx_30. only id_rsa, id_rsa.pub is available — Srini Vasan, Aug 12 '14 at 10:40

score 4 · Accepted Answer · edited Aug 12 '14 at 19:34

4

You can't connect with the public key.

The public key (id_rsa.pub) shall be located on the server side while the private key (id_rsa) should be located on the client side.

To install the key on Machine 2:

cat id_rsa.pub >> /home/vfx_30/.ssh/authorized_keys  # sometimes this file is called authorized_keys2

And connecting from Machine 1:

ssh -i id_rsa vfx_30@192.168.3.132

edited Aug 12 '14 at 19:34

MadHatter

79,770
20
184
232

answered Aug 12 '14 at 13:05

SteffenNielsen

477
4
15

score 0 · Answer 2 · answered Aug 12 '14 at 10:40

You are trying to use the key backwards. You created a key pair, which could be used to make ssh connections from machine 2.

Next you are trying to establish a connection from machine 1, which has no key pair at all.

To make it work first create a key pair on machine 1. You can create it with ssh-keygen, just like you did on machine 2.

Optionally edit ~/.ssh/id_rsa.pub and put a date in the comment at the very end of the line. I find it useful to have a date there, such that anywhere I put the public key, I can see which version it is, in case I later have to rotate it.

Next take the contents of ~/.ssh/id_rsa.pub from machine 1 and append that to ~/.ssh/authorized_keys on machine 2. (Create the authorized_keys file in the process, if it did not exist already).

OK. Im sorry. Let me ask the question in a different way. – Srini Vasan Aug 12 '14 at 10:49 — Srini Vasan, Aug 12 '14 at 10:49

score 0 · Answer 3 · answered Aug 14 '14 at 12:20

In short, the ssh -i option should point to the private key file (usually "id_rsa").

man ssh

... -i identity_file Selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files). ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames.