1

I'm trying to log into a server with a different user. The user's name on the server is gitquery. I used ssh-keygen to create these files locally:

/opt/gitquery/gitquery-rsa
/opt/gitquery/gitquery-rsa.pub

Then I copied the public key onto the server:

scp /opt/gitquery/gitquery-rsa.pub [email protected]:~/.ssh/authorized_keys

According to other questions on StackOverflow, the usual problem is the permissions, so I made sure they're correct:

gitquery@someserver:~/.ssh$ ls -al
total 20
drwx------ 2 gitquery gitquery 4096 Jul 27 10:19 .
drwxr-xr-x 4 gitquery gitquery 4096 Jul 27 10:08 ..
-rw------- 1 gitquery gitquery  403 Jul 27 10:07 authorized_keys
-rw------- 1 gitquery gitquery 1766 Jul 27 09:38 id_rsa
-rw-r--r-- 1 gitquery gitquery  397 Jul 27 09:38 id_rsa.pub

When I'm trying to connect to the server, it still prompts for password! Here's the verbose output:

$ ssh -vvv -i /opt/gitquery/gitquery-rsa [email protected]
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to someserver.company.com [#.#.#.#] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug3: Incorrect RSA1 identifier
debug3: Could not load "/opt/gitquery/gitquery-rsa" as a RSA1 public key
debug1: identity file /opt/gitquery/gitquery-rsa type 1
debug1: identity file /opt/gitquery/gitquery-rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "someserver.company.com" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: setup [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
debug3: load_hostkeys: loading entries for host "someserver.company.com" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "##.##.##.##" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'someserver.company.com' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /opt/gitquery/gitquery-rsa (0x7f648f0d2230), explicit
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /opt/gitquery/gitquery-rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
debug3: sign_and_send_pubkey: RSA ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
debug1: key_parse_private2: missing begin marker
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/opt/gitquery/gitquery-rsa':

Strange: The verbose output says 'Incorrect RSA1 identifier' although I created the keys with ssh-keygen. The server accepts the key, but then the local key_parse returns an error. What's going on?

Improve this question
5
  • the error is normal stackoverflow.com/questions/12449626/…
    – lex
    Commented Jul 27, 2015 at 10:12
  • 2
    your issue is "Enter passphrase for key". Nothing wrong actually. Consider using ssh-agent or just remove the passphrase. help.github.com/articles/working-with-ssh-key-passphrases
    – lex
    Commented Jul 27, 2015 at 10:15
  • You're wrong. The whole idea behind the authorized_keys file is to allow login without password. See ssh's man page, look for this: 'After this, the user can log in without giving the password.'
    – digory doo
    Commented Jul 27, 2015 at 11:09
  • the whole idea behind authorized_keys is that you don't need to input the server password, this is different from the passphrase for the private key, which is an extra but optional layer of security -- and thats your exact problem in OP. Please take a moment to read the github link again.
    – lex
    Commented Jul 27, 2015 at 20:07
  • OK, you're right.
    – digory doo
    Commented Jul 27, 2015 at 20:26

1 Answer 1

Reset to default
1

The best-practice method for copying public keys to remote servers is by using ssh-copy-id.

ssh-copy-id [-i [identity_file]] [user@]machine

I would suggest to delete the created authorized_keys files and copy over your key again with ssh-copy-id.

ssh-copy-id -i /opt/gitquery/gitquery-rsa gitquery@company

During key generation you just have to press enter when ssh-keygen asks you for a password if you want password-less login 

Enter passphrase for key '/opt/gitquery/gitquery-rsa':
Improve this answer
3
  • I moved away the authorized_keys file and used ssh-copy-id to reinstall it as you suggested. A new authorized_keys file was created in the .ssh file, but diff tells me that the old and new file are exactly the same. Ssh without having to give the password still doesn't work. :(
    – digory doo
    Commented Jul 27, 2015 at 11:15
  • Could it be that you provided a password during the creation of the key pair? You just have to press enter when ssh-keygen asks you for a password if you want password-less login Enter passphrase for key '/opt/gitquery/gitquery-rsa':
    – cakuzo
    Commented Jul 27, 2015 at 11:20
  • Oops! That was it! Silly me! Write this as an answer, then I'll accept it...
    – digory doo
    Commented Jul 27, 2015 at 11:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .