public key always asking for password and keyphrase

Question

I am trying to SSH from a NAS to a webserver using a public key. NAS user is 'root' and webserver user is 'backup'

I have all permissions set correctly and when I debug the SSH connection I get: (last little bit of the debug)

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /root/.ssh/id_dsa.pub
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/root/.ssh/id_dsa.pub':

I am using the command:

ssh -v -i /root/.ssh/id_dsa.pub [email protected]

The fact that it is asking for a passphrase is a good sign surely, but I do not want it to prompt for this or a password (which comes afterwards if I press 'return' on the passphrase)

Answer 1

Thats because your private key is encrypted...

You can add your key to an ssh agent using ssh-add or remove the passphrase (and with it the encryption) from the key using the following command:

ssh-keygen -p -f /root/.ssh/id_dsa -N ''

---

EDIT

Oh I just realized that you try to use your public key to authenticate... You want to use the private key there:

ssh -v -i /root/.ssh/id_dsa [email protected]

And just to make absolutely sure, the content of the file id_dsa.pub goes into ~backup/.ssh/authorized_keys on the webserver. You can use the following command to do that automatically

ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]

Answer 2

This happened to me when the private key I had was not in OpenSSH format.

I originally generated my key on windows using PuttyGen and was getting bounced with this same thing.

I was able to fix it by loading the key in PuttyGen and clicking "Conversions" to get it to OpenSSH format.

Answer 3

There are a few things.

Primarily, if the KEY is asking for a password, the key was generated with it. Secondly, if the system is prompting for a password after, then the key is not authenticating. Meaning, you will need to regenerate your SSH key (or change it as suggested by @rbtux) and fix the authorized_keys files.

ssh-keygen -t {dsa|rsa} -b {1024|2048|4096} -C "optional comment" -f id_examplekey

The items in curly brackets are options, type and bit size (To state the obvious: dsa > rsa, 4096 > 1024 - in terms of "security").

Then you need to add the public key (.pub) to the authorized_keys and authorized_keys2 files (it's a common misconception to say the .pub is for local use, however it is intended to be compared against) So in the server's .ssh folder.

$ cat id_examplekey.pub >> authorized_keys{,2}

Then on your end, you should make sure the key permissions are chmod 600 id_example and to alleviate typing all that, you can set up the config file: ~/.ssh/config on your local box (that is a skeleton, you can customize this a ton):

Host example.com
    User WHATEVERNAME
    IdentityFile ~/.ssh/id_examplekey

Answer 4

For me since the key itself was encrypted, I followed the following steps:

• Start ssh-agent: $ ssh-agent bash
• Add standard identity key to the key manager: $ ssh-add
• If you want to add a different key, then: $ ssh-add /location/of/key

To inspect at any time, the list of currently loaded keys:

$ ssh-add -l

More details can be obtained from this link

Answer 5

try https://wiki.gentoo.org/wiki/Keychain

It is kind of a wrap on ssh-agent and ssh-add

Pros: No need to input the password repeatedly as long as you don't reboot. Could be used in crontab.

It might be help.

Answer 6

It could be because you are using a DSA pubkey which is disabled by default in OpenSSH v7.

If you cannot change the key pair a possible workaround will be to tell your SSH daemon at webserver.com to accept those Key types, by updating /etc/ssh/sshd_config or equivalent adding the following line

PubkeyAcceptedKeyTypes=+ssh-dss

And then restarting the service

/etc/init.d/ssh restart                     # or equivalent

Answer 7

On Mac OSX you can add your private key to the keychain using the command:

ssh-add -K /path/to/private_key

If your private key is stored at ~/.ssh and is named id_rsa:

ssh-add -K ~/.ssh/id_rsa

You will then be prompted for your password, which will be stored in your keychain.

Answer 8

Due to unaligned versions of OpenSSH and other oddities, you can try generating the key pair in the host you're trying to connect.