public key always asking for password and keyphrase

Question

I am trying to SSH from a NAS to a webserver using a public key. NAS user is 'root' and webserver user is 'backup'

I have all permissions set correctly and when I debug the SSH connection I get: (last little bit of the debug)

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /root/.ssh/id_dsa.pub
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/root/.ssh/id_dsa.pub':

I am using the command:

ssh -v -i /root/.ssh/id_dsa.pub backup@webserver.com

The fact that it is asking for a passphrase is a good sign surely, but I do not want it to prompt for this or a password (which comes afterwards if I press 'return' on the passphrase)

andrekeller · Accepted Answer · 2012-11-20T22:27:10.343

Thats because your private key is encrypted...

You can add your key to an ssh agent using ssh-add or remove the passphrase (and with it the encryption) from the key using the following command:

ssh-keygen -p -f /root/.ssh/id_dsa -N ''

EDIT

Oh I just realized that you try to use your public key to authenticate... You want to use the private key there:

ssh -v -i /root/.ssh/id_dsa backup@webserver.com

And just to make absolutely sure, the content of the file id_dsa.pub goes into ~backup/.ssh/authorized_keys on the webserver. You can use the following command to do that automatically

ssh-copy-id -i /root/.ssh/id_rsa.pub backup@webserver.com

score 7 · Answer 2 · answered Feb 13 '15 at 02:32

This happened to me when the private key I had was not in OpenSSH format.

I originally generated my key on windows using PuttyGen and was getting bounced with this same thing.

I was able to fix it by loading the key in PuttyGen and clicking "Conversions" to get it to OpenSSH format.

score 3 · Answer 3 · answered Jul 22 '14 at 07:34

For me since the key itself was encrypted, I followed the following steps:

Start ssh-agent: $ ssh-agent bash
Add standard identity key to the key manager: $ ssh-add
If you want to add a different key, then: $ ssh-add /location/of/key

To inspect at any time, the list of currently loaded keys:

$ ssh-add -l

More details can be obtained from this link

score 2 · Answer 4 · answered Nov 20 '12 at 21:45

There are a few things.

Primarily, if the KEY is asking for a password, the key was generated with it. Secondly, if the system is prompting for a password after, then the key is not authenticating. Meaning, you will need to regenerate your SSH key (or change it as suggested by @rbtux) and fix the authorized_keys files.

ssh-keygen -t {dsa|rsa} -b {1024|2048|4096} -C "optional comment" -f id_examplekey

The items in curly brackets are options, type and bit size (To state the obvious: dsa > rsa, 4096 > 1024 - in terms of "security").

Then you need to add the public key (.pub) to the authorized_keys and authorized_keys2 files (it's a common misconception to say the .pub is for local use, however it is intended to be compared against) So in the server's .ssh folder.

$ cat id_examplekey.pub >> authorized_keys{,2}

Then on your end, you should make sure the key permissions are chmod 600 id_example and to alleviate typing all that, you can set up the config file: ~/.ssh/config on your local box (that is a skeleton, you can customize this a ton):

Host example.com
    User WHATEVERNAME
    IdentityFile ~/.ssh/id_examplekey

score 1 · Answer 5 · answered Aug 04 '16 at 11:47

It could be because you are using a DSA pubkey which is disabled by default in OpenSSH v7.

If you cannot change the key pair a possible workaround will be to tell your SSH daemon at webserver.com to accept those Key types, by updating /etc/ssh/sshd_config or equivalent adding the following line

PubkeyAcceptedKeyTypes=+ssh-dss

And then restarting the service

/etc/init.d/ssh restart                     # or equivalent

score 1 · Answer 6 · answered Oct 13 '14 at 04:50

1

try https://wiki.gentoo.org/wiki/Keychain

It is kind of a wrap on ssh-agent and ssh-add

Pros: No need to input the password repeatedly as long as you don't reboot. Could be used in crontab.

It might be help.

answered Oct 13 '14 at 04:50

Gon

111
2

score 0 · Answer 7 · answered Dec 14 '16 at 15:12

On Mac OSX you can add your private key to the keychain using the command:

ssh-add -K /path/to/private_key

If your private key is stored at ~/.ssh and is named id_rsa:

ssh-add -K ~/.ssh/id_rsa

You will then be prompted for your password, which will be stored in your keychain.

score 0 · Answer 8 · answered May 28 '21 at 18:24

0

Due to unaligned versions of OpenSSH and other oddities, you can try generating the key pair in the host you're trying to connect.

answered May 28 '21 at 18:24

ATorras

111

public key always asking for password and keyphrase

8 Answers8