I have a public/private key pair. Neither of them have any sort of passphrase associated with them.
Whenever I try to ssh using either the private or public(and I'm pretty sure I should only be using the public key), I get queried for a passphrase, and then of course can't connect up.
Ssh-keygen can create RSA keys for use by SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2. The type of key to be generated is specified with the -t option. If invoked without any arguments, ssh-keygen will generate an RSA key for use in SSH protocol 2 connections. Add your SSH private key to the ssh-agent and store your passphrase in the keychain. If you created your key with a different name, or if you are adding an existing key that has a different name, replace idrsa in the command with the name of your private key file.
- This can be changed after the fact as you can perform the following operations on your existing SSH private key using ssh-keygen: Add passphrase to an SSH key Edit passphrase of an SSH key.
- Use ssh-keygen -p command to remove the passphrase – just press Enter when asked for the new passphrase without typing any phrase. No Way To Recover Forgotten Passphrase. IMPORTANT: you cannot overwrite a forgotten passphrase. If your SSH key is encrypted, you must have the original passphrase to decrypt the key and save it with the new passphrase.
- $ man ssh-keygen. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 128-bit AES. So this passphrase just encrypts the key locally. An attacker with access to your system will not be able to read the private key, because it's encrypted.
- Sep 01, 2018 (Last Updated On: September 1, 2018)Let’s look at how you can update or change your SSH key Passphrase on a Linux system. SSH keys are often used to authenticate users to some kind of information systems. The SSH keys themselves are private keys; the private key is further encrypted using a symmetric encryption key derived.
- Recreate the keypair, choosing a new passphrase: ssh-keygen -t rsa -f /.ssh/idrsa Add the newly created private key to your OS X Keychain to store the passphrase and manage unlocking it automatically: ssh-add -K /.ssh/idrsa Copy the public key to the OS X clipboard for adding to web services like GitHub, etc. Cat /.ssh/idrsa.pub pbcopy.
Anyone have any idea how to get around this? Am I typing some command incorretly? I am trying to ssh into a server that I have setup in my ~/.ssh/config file(correctly, since this exact same setup works on another server) with the key stored in ~/.ec2/key.ppk
I've also tried using puttygen.exe to generate a new private key WITH a passphrase, and then using that key, and when I type the passphrase, it still fails.
10 Answers
First off it's the private key that will have the pass-phrase. This validates against the public key stored on the remote server.
Best guess is that your are trying to use a putty private key (ppk
) key format with openssh this doesn't work.... PuTTYgen has an export option for openssh if this is the case.
I also assume that the server you are trying to ssh to has your public key stored correctly in the authorized key file (in ~/.ssh/authorized_keys
generally).
Another guess would be that the correct key isn't be selected. Some things I would try are:
Resetting the keys pass-phrase using ssh-keygen
, like this...
This will confirm if in fact your key does (or does not) have a pass-phrase on it already.
Secondly I'd try connecting using a verbose output, specifying your public key explicitly output:
This will give you more of an idea of what is going on.
AdobeYou could run ssh-agent. See here for a discussion.
The short version that worked for me (in bash):
I took the 3 lines it echoes out, and executed them. Another way to do that is take the output of -s:
Then I added my credentials to it:
Now the agent supplies the credentials instead of me having to type in my passphrase.
I believe ssh-agent goes away when the shell does, so this should be scripted upon startup for maximum convenience. The link I shared describes scripting as well.
dfrankowdfrankowWhen you set up your public key, you probably (perhaps inadvertently) set it up with a passphrase.
You probably need to start fresh -- I haven't used puttygen, but you can delete (or rename) the public key in your .ssh directory, use ssh-keygen
to generate a new one (being sure not to provide a passphrase), and then share the public_key out to the authorized_keys file on the server you're trying to connect to.
You may need to also remove your old passphrase-key from the authorized-keys file on the server you're connecting to.
One thing to check, if your sshd_config file has StrictModes=yes , then the $HOME directory or $HOME/.ssh directory must not be world writable to group or other. Otherwise authentication fails no matter what.
Check that the private key id_rsa
doesn't have extra line breaks at the end, in some cases extra line breaks will make ssh-keygen to ask for the passphrase, try this:
test:
I made the mistake of accidentally overwriting my ~/.ssh/id_rsa file with my ~/.ssh/id_rsa.pub. Doing that will cause ssh to ask for a pass phrase.
I ran into this problem the other day. Specifically, I was trying to copy/paste a private AWS key from one machine to another.
I have a bad habit of either missing the first or last character. It turns out that if you don't grab every hyphen at the end of your private key–even though it has nothing to do with the key text itself–you will be prompted for a passphrase for the private key until add every character from the key you copied from (in my case this meant adding a a single hyphen to the end of the key.)
I suppose this means that best practice is to SSH the text file across the wire instead of trying to copy and paste between Terminal windows.
On OSX I was able to just run:
$ ssh-add ~/.ssh/id_rsaEnter passphrase for /Users/me/.ssh/id_rsa:`Identity added: /Users/mikekilmer/.ssh/id_rsa (/Users/mikekilmer/.ssh/id_rsa)
Ssh Key Passphrase Remember
The password was stored by the Keychain Access application, which is in the Applications > Utilities folder. I just entered id_
in the search field.
Try viewing the log files on the server. See /var/log/authlog (e.g., /var/log/authlog for OpenSSH, although I've seen some operating systems use Portable OpenSSH and use /var/log/auth.log) and check the end of that file.
The most common causes I've seen are incorrect permissions (as noted by TD1's answer), although other issues could be with the public key (stored on the server) not being in the right file, or that key being commented out, or a misspelled username.
It may also be helpful (for troubleshooting) to give the account a passphrase temporarily, just to verify that the account can be successfully logged in when you do that.
If viewing the log file doesn't quickly lead you to a resolution, I suggest posting a new question (since this is a great generalized question) which does include the specific details from the log file, so that more specific directions can be provided.
TOOGAMTOOGAMOn my team, when this happens it isn't an issue with anything locally. The user's ssh key and/or access hasn't been configured correctly on the server they're connecting to (in our case a hosting platform). For some reason this triggers a prompt for a non-existent ssh key.
protected by Community♦Aug 15 at 20:10
Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?