[SOLVED] openssh still asks for pw when launching ssh session

archfluke · 2016-06-10 08:46:46

Hello, I'm running Archlinux as an ssh client and have been having convenience issues. I'll get the tl;dr version out of the way:

I find this behavior with openssh:

[admin@Arch .ssh]$ ssh server1
Enter passphrase for key '/home/admin/.ssh/server1': 
client@server1's password:

vs

when I use putty:

Using username "client".
Authenticating with public key "rsa-key-2016-06-01"
Last login: Mon Jun 6 15:49:56 2016

I have been running putty on Archlinux with no issues with logging in using my private key. However, when I've never successfully been able to use openssh to log into a server from Archlinux and have been puzzled by how I'm always prompted for both the passphrase and the password when my objective is to use ssh as a relatively secure means of logging on without a password. Again, I'm able to achieve this balance between convenience and mild security using putty as my client on Archlinux but openssh has been a nightmare while I'm sure it doesn't have to be one.

I followed the wiki's advice and setup the ~/.ssh/config as follows:

Host server1
	Hostname server1
	Port	 22
	IdentityFile ~/.ssh/server1
	User client

Host 192.168.2.1
	Hostname 192.168.2.1
	Port	22
	User	root

I also setup the permissions to 700 for the .ssh folder, the key file and authorizedKeys2.
I reviewed non-Arch-related sites in hopes that my problem isn't unique to ArchLinux, but a protracted understanding of how ssh clients work such as here and here. Any help would be much appreciated!

Last edited by archfluke (2016-06-13 01:03:32)

JohnBobSmith · 2016-06-10 15:07:05

The most simple of solutions would be to ensure your individual keys do not have passwords on them. If you are reasonably confident that no one will break in to your PC/steal it you should theoretically never need a password on each individual key. The second step is to outright disable password authentication in the SSH config. I dont have any functioning boxes with SSH on them currently, but I have used it many time in the past. Always cite the wiki above my answer here (because I can't readily confirm it), but try editing /etc/sshd/config (or whatever the path is) and looking for something like AllowPasswordAuthentication and make it set to No. Just be sure to have the SSH keys completely functional.

For what it's worth: https://wiki.archlinux.org/index.php/SSH_keys and https://wiki.archlinux.org/index.php/Secure_Shell

Good luck!

ewaller · 2016-06-10 15:54:07

Are you sure those are the same keys?
Does running it with the -v option provide any insight?

Also, it appears that your ssh server is configured to try to use keys, and then fail over to passwords. So, when your pass phrase fails to unlock your key, you fail over to using passwords.

archfluke · 2016-06-11 06:24:18

JonBobSmith: That's right. The keys do not have any passphrases at this point as I figured that I would get serious once I hit the milestone of logging on. Hopefully, that method actually simplifies rather than complicates the process. Thanks for making the links to the wiki more visible for posterity as I realized that I'm "burying the headline" so to speak behind an a tag.

ewaller: I believe they're the same key, which I could only confirm by matching their paths as being "/home/admin/.ssh/server1.ppk". This time, I had generated an ed25519 key pair and added them by using the ssh-add method described in the wiki. Running the openssh -v yielded the following:

OpenSSH_7.2p2, OpenSSL 1.0.2h  3 May 2016
debug1: Reading configuration data /home/admin/.ssh/config
debug1: /home/admin/.ssh/config line 2: Applying options for server1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to server1 [192.168.2.1] port 22.
debug1: Connection established.
debug1: identity file /home/admin/.ssh/server1.pub type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/admin/.ssh/server1.pub-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version dropbear_2014.66
debug1: no match: dropbear_2014.66
debug1: Authenticating to server1:22 as 'client'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp521
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp521 SHA256:Ls8pX12RKsYJWbbvKmhcf/odoK8yq0JEZzBEYDPGMNE
debug1: Host 'server1' is known and matches the ECDSA host key.
debug1: Found key in /home/admin/.ssh/known_hosts:5
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/admin/.ssh/server1.pub
debug1: Server accepts key: pkalg ssh-rsa blen 149
Enter passphrase for key '/home/admin/.ssh/server1.pub': 
debug1: Next authentication method: password
client@server1's password: 
debug1: Authentication succeeded (password).
Authenticated to server1 ([192.168.2.1]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network

I also had forgotten to mention that the server is an Asus ac68u router, with the Merlin fork of the AsusWRT firmware installed, which may mean that I'm stuck with dropbear? Also, the public key is visible on the webui but a grep for a string from the key yielded nothing. I poked around the dropbear keys folder(etc/dropbear): dropbear_dss_host_key dropbear_ecdsa_host_key dropbear_rsa_host_key , which might have been generated by the public key I entered in the webui but don't appear to be text keys as I see nothing resembling the public key I pasted in the webui for the router.

The two wiki links that JohnBobSmith posted above had been my key resources for learning about SSH, but I'm still confused about how it works. Namely, if I have client1(openssh) and client2(openssh) connect to a server(dropbear), will the public key simply be one merged file with the contents of the public keys generated for each client or will there be two separate public files? I wasn't sure how to read the wiki to find this information, but I think this has been one of the most burning questions that I've been asking without reading a textbook on SSH, that I imagine can be summed up pretty handily. Clearly, my duckduckgo-fu still needs work.

I hope that this still works though.

Last edited by archfluke (2016-06-11 11:15:15)

brebs · 2016-06-11 14:59:20

On the server that you're ssh'ing into, you've messed up the creds of user "admin", but user "client" is OK.

Why is it any more complicated than that?

If you specify the *username* in your SSH command, especially when debugging, things will be less confusing

archfluke · 2016-06-13 01:01:53

brebs: thanks for pointing that out. What you said above got me to simply start from scratch: reinstall openssh, remove /etc/openssh and ~/.ssh and use the wiki above as my starting point. I then did a comparison of the new private keys generated from openssh (ssh-keygen) and the keys I had, and I found that the old private keys looked like this:

PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: rsa-key-20151122
Public-Lines: 4
AAAAB3NzaC1yc2EAAAABJQAAAIEA5ng0a6n71rnZXhEFwpSJVI1ZG5azndPDUlfJ
4E33kp2UhNsEqH5Uy3k7qNqalpgtUZZcNxDOanIF8eFRD4+xdhTn/0Wgaz6l73Yx
uwBmQcrUrJOhvjNioP4j4Kd9duHHEfKlapdoGo3rDhzDDoX7c0aqSc5m2RTuEX+N
qhLvJtE=
Private-Lines: 8
AAAAgBjqZoguDWNSXLA5MQ4d5VU/tpsy4vxOPqEeP1aE+CuGqEW20BI3K8L4WXoJ
y4Xm8CR+9TZirogMU6tyTfPYLtwgtBJTG7M2HZc5OgW3wlCQauNPBdwIiIixi5UE
HdLYcvv7sWoIrxD02u6hm9Qyh+70HuifEP4nm3/mnuwfGAH9AAAAQQD/SCWPQu31
NuPal5rotln/f4EuXdPOaoLvWsemI/vdxsMsOeo/o8t9pt9N/PxL2H7/TlER03kh
g4qQkeO3z4nHAAAAQQDnHjA1nUOU3VTKQWsz6n6TeHTKTbcWCS2kffabRZyx2LPu
QmuHcPI3Ww935KdmuZH1PhD9NjEFDCfZvb47gYqnAAAAQHeWeqe7QkC0CELOhpjt
yXmCqfkUm++Dvv0lMcbqALJ/h/yNknmAvXsTSWeP2Um4TL/yQXLtlv/CZaMnDM5q
HNI=
Private-MAC: HAAAAQQDnHjA1nUOU3VTKQWsz6n6TeHTKTbc

while my new ones look like this (altered):

And I then found a link that seems to corroborate with my hunch that SSH RSA-2 keys are not immediately compatible: http://stackoverflow.com/questions/2224 … -pairs-use .

I previously had no issues with sharing the same public/private key pair that I had generated with puttygen. And I had imagine the puttygen key really tosses a spanner in the works as the issue didn't go away even when I had appended openssh generated public keys with the puttygen generated ones, whereas every single appended openssh key on the server/router is picked up and honored.

This nightmarish experience definitely prompted me to review my assumptions about cross-compatibility despite seeing glaring overlaps such as both keys using the same encryption method. I'm actually quite shocked at how difficult it was to find intel on this as I would've figured this to be better documented on the web.

Thanks again everyone! I believe this is solved...for now.

Arch Linux

#1 2016-06-10 08:46:46

[SOLVED] openssh still asks for pw when launching ssh session

#2 2016-06-10 15:07:05

Re: [SOLVED] openssh still asks for pw when launching ssh session

#3 2016-06-10 15:54:07

Re: [SOLVED] openssh still asks for pw when launching ssh session

#4 2016-06-11 06:24:18

Re: [SOLVED] openssh still asks for pw when launching ssh session

#5 2016-06-11 14:59:20

Re: [SOLVED] openssh still asks for pw when launching ssh session

#6 2016-06-13 01:01:53

Re: [SOLVED] openssh still asks for pw when launching ssh session

Board footer