6

I can't setup SSH key authentication to login without entering a password, and just using the private key. Here is the sshd_config file of my VPS.

# What ports, IPs and protocols we listen for Port 8707 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes UseDNS no AllowUsers ashfame

I generated the key using ssh-keygen -t rsa in .ssh folder of my local machine. Then I copied the public key file id_rsa.pub by scp id_rsa.pub [email protected]: Then I moved the file to the .ssh folder of my user and renamed it to authorized_keys by mv id_rsa.pub ~ashfame/.ssh/authorized_keys

I changed the permissions

chown -R ashfame:ashfame ~ashfame/.ssh chmod 700 ~ashfame/.ssh chmod 600 ~ashfame/.ssh/authorized_keys

Now the public key is there, its content matches with the one on the local machine but still when I tries to login it shows "Agent admitted failure to sign using the key." What am I missing?

Edit:

Output of ssh -vvv

 OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to xx.xxx.xx.xx [xx.xxx.xx.xx] port 8707. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/home/ashfame/.ssh/id_rsa" as a RSA1 public key debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/ashfame/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/ashfame/.ssh/id_rsa-cert type -1 debug1: identity file /home/ashfame/.ssh/id_dsa type -1 debug1: identity file /home/ashfame/.ssh/id_dsa-cert type -1 debug1: identity file /home/ashfame/.ssh/id_ecdsa type -1 debug1: identity file /home/ashfame/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu7 debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3 debug2: fd 3 setting O_NONBLOCK debug3: put_host_port: [xx.xxx.xx.xx]:8707 debug3: load_hostkeys: loading entries for host "[xx.xxx.xx.xx]:8707" from file "/home/ashfame/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/ashfame/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: d ebug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 129/256 debug2: bits set: 517/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA d8:91:1b:8a:90:96:60:27:3b:6e:ae:fc:f2:08:84:f6 debug3: put_host_port: [xx.xxx.xx.xx]:8707 debug3: put_host_port: [xx.xxx.xx.xx]:8707 debug3: load_hostkeys: loading entries for host "[xx.xxx.xx.xx]:8707" from file "/home/ashfame/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/ashfame/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "[xx.xxx.xx.xx]:8707" from file "/home/ashfame/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/ashfame/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug1: Host '[xx.xxx.xx.xx]:8707' is known and matches the RSA host key. debug1: Found key in /home/ashfame/.ssh/known_hosts:1 debug2: bits set: 514/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/ashfame/.ssh/id_rsa (0x7f5e60674670) debug2: key: /home/ashfame/.ssh/id_dsa ((nil)) debug2: key: /home/ashfame/.ssh/id_ecdsa ((nil)) debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/ashfame/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp 40:16:89:d5:e3:38:cc:84:7a:1e:44:d6:84:5a:87:86 debug3: sign_and_send_pubkey: RSA 40:16:89:d5:e3:38:cc:84:7a:1e:44:d6:84:5a:87:86 Agent admitted failure to sign using the key. debug1: Trying private key: /home/ashfame/.ssh/id_dsa debug3: no such identity: /home/ashfame/.ssh/id_dsa debug1: Trying private key: /home/ashfame/.ssh/id_ecdsa debug3: no such identity: /home/ashfame/.ssh/id_ecdsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password
Improve this question
6
  • output of ssh -vvv? Commented Sep 13, 2011 at 19:47
  • @rogerdpack Added in the question, please take a look Commented Sep 13, 2011 at 19:52
  • @ashfame - I think he was asking you to add "-vvv" to your regular ssh command. Without a connection there's nothing for ssh to be verbose about... Commented Sep 13, 2011 at 19:55
  • @voretaq7 Oops! I added the output. I think there is a mismatch somehow. I am using both RSA & DSA somehow. Not sure how I ended up with using both. Commented Sep 13, 2011 at 20:10
  • I'm not sure how openssh selects keys off the top of my head - I usually use ssh-agent or manually tell ssh which key to present (-i). You may want to try the latter while debugging. Also see the update to my answer: I can replicate the behavior you're seeing if my key isn't in the authorized_keys file so something may have gotten SNAFU'd with your 2 keys... Commented Sep 13, 2011 at 20:27

3 Answers 3

Reset to default
9

Agent admitted failure to sign using the key is often OpenSSH speak for "You're running ssh-agent on the client and forgot to ssh-add the key you want to use."

Try running ssh-add on the client machine and see if your error goes away. You may need to consult the ssh-add manpage for additional parameters to pass to ssh-add, particularly if your private key is named something non-standard...

Edit based on new info in the question from ssh -vvv:

debug3: Could not load "/home/ashfame/.ssh/id_rsa" as a RSA1 public key

Looks like your keyfile is malformed somehow. Triple-check to make sure something hasn't been corrupted there (extra/missing stuff).
I also got the same message when the public key wasn't in authorized_keys on the server side, which may just be OpenSSH being lousy about informative error messages -- something else to double check though.

Improve this answer
1
  • I have the standard names only id_rsa & id_rsa.pub. Do I still need to do anything with ssh-add? Commented Sep 13, 2011 at 20:03
0

To bypass the agent, try this:

SSH_AUTH_SOCK=0 ssh user@host
Improve this answer
0

Today when I switched on my machine, I could login without the need of a password. I guess tha was just a temporary glitch. Else @voretaq7 answer would have been better in helping. I am accepting my answer and upvoting his answer.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.