SSH only works if I specify the key with -i

debianssh

I have a server that only allows ssh with a key. However when I try to ssh to this machine I get the error "Permission denied (publickey)". From the auth.log on my server this is happening pre auth. The permissions on my keys and .ssh folder look fine. Also if I use -vv when attempting to ssh it doesn't appear to be attempting to use the correct key file.

The only way this works is if I use the -i arg and specify the path to the key. (Which is in my .ssh folder) I've installed key before and had no problems. The only difference was that this time I had to scp the key file to the server and then use cat >> to add it to the authorised key file, rather than use ssh-copy-id.

Does anyone know how I could debug this further or fix the issue rather than make me server unsecure for a while and then use ssh-copy-id?

-vv output (the key that's valid doesn't even get tried for some reason.)

OpenSSH_6.7p1 Raspbian-5+deb8u2, OpenSSL 1.0.1k 8 Jan 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to $host [$ip address] port $port.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/ben/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ben/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ben/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ben/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ben/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ben/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ben/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ben/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u2
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u2 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: setup umac-64-etm@openssh.com
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug2: mac_setup: setup umac-64-etm@openssh.com
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 10:b9:0c:fa:8f:69:f2:eb:84:bd:69:32:50:1b:dd:ee
debug1: Host '$host' is known and matches the ECDSA host key.
debug1: Found key in /home/ben/.ssh/known_hosts:1
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/ben/.ssh/id_rsa ((nil)),
debug2: key: /home/ben/.ssh/id_dsa ((nil)),
debug2: key: /home/ben/.ssh/id_ecdsa ((nil)),
debug2: key: /home/ben/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ben/.ssh/id_rsa
debug1: Trying private key: /home/ben/.ssh/id_dsa
debug1: Trying private key: /home/ben/.ssh/id_ecdsa
debug1: Trying private key: /home/ben/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

Details of the .ssh directory and content,

ls - ld
drwxr-xr-x 2 $user $user .

ls -l
total 16
-rw------- 1 $user $user 733 May 3 16:27 authorized_keys
-rw------- 1 $user $user 3243 May 9 15:33 key 
-rw-r--r-- 1 $user $user 751 May 9 15:33 key.pub 
-rw-r--r-- 1 $user $user 444 May 9 15:31 known_hosts

Best Answer

As far as I'm aware, ssh only searches for keys with the name id_rsa, id_dsa and a few others which all start id_ as show in the output in your question. If you have keys named anything else you must specify them on the command line, or in an ssh config file.

Either rename your file key to something ssh searches for, or update .ssh/config with a relevant stanza, or use the -i option.

You can use something like this in .ssh/config

host my.target.server
IdentityFile ~/.ssh/key

You can also use,

host *
IdentityFile ~/.ssh/key

to force ssh to use ~/.ssh/key for all connections.

It may be easier to rename the key file to id_dsa or id_rsa though (assuming the file is actually called key as in your output).

Related Solutions

Ssh – Encrypting file only with SSH -priv-key

I think your requirement is valid, but on the other hand it is also difficult, because you are mixing symmetric and asymmetric encryption. Please correct me if I'm wrong.

Reasoning:

The passphrase for your private key is to protect your private key and nothing else.
This leads to the following situation: You want to use your private key to encrypt something that only you can decrypt. Your private key isn't intended for that, your public key is there to do that. Whatever you encrypt with your private key can be decrypted by your public key (signing), that's certainly not what you want. (Whatever gets encrypted by your public key can only be decrypted by your private key.)
So you need to use your public key to encrypt your data, but for that, you don't need your private key passphrase for that. Only if you want to decrypt it you would need your private key and the passphrase.

Conclusion: Basically you want to re-use your passphrase for symmetric encryption. The only program you would want to give your passphrase is ssh-agent and this program does not do encryption/decryption only with the passphrase. The passphrase is only there to unlock your private key and then forgotten.

Recommendation: Use openssl enc or gpg -e --symmetric with passphrase-protected keyfiles for encryption. If you need to share the information, you can use the public key infrastucture of both programs to create a PKI/Web of Trust.

With openssl, something like this:

$ openssl enc -aes-256-ctr -in my.pdf -out mydata.enc

and decryption something like

$ openssl enc -aes-256-ctr -d -in mydata.enc -out mydecrypted.pdf

Update: It is important to note that the above openssl commands do NOT prevent the data from being tampered with. A simple bit flip in the enc file will result in corrupted decrypted data as well. The above commands cannot detected this, you need to check this for instance with a good checksum like SHA-256. There are cryptographic ways to do this in an integrated way, this is called a HMAC (Hash-based Message Authentication Code).

SSH Public Key authentication – works only after a physical login

As mentioned in the comment, you're using an encrypted home directory, and are likely using pam_mount to mount it.
pam_mount mounts the partition using the password acquired during login. Since you're trying to log in via ssh public keys there are 2 issues:

There is no password being sent during public key authentication, so it can't mount your home directory using it.
When using pam_mount, your home directory is mounted after login, but sshd needs to get your authorized_keys file before login, and thus it's not mounted.

Either of these issues is enough to prevent it from working.

The only solution is to get your public keys out of the home directory. This is actually rather simple.

First copy the authorized_keys file out of the home directory:

cp -a /home/$USER/.ssh/authorized_keys /home/$USER-authorized_keys

Then tell sshd to use that file by adding the following to /etc/ssh/sshd_config (replace existing entry if present):

AuthorizedKeysFile .ssh/authorized_keys /home/%u-authorized_keys

And bounce sshd.

Note however that this will not mount your home directory. Your home directory still needs your password to decrypt. Depending on how you have pam_mount configured, it might prompt you for your password, or it might just drop you into a shell with your home unmounted.

Best Answer

Related Solutions

Ssh – Encrypting file only with SSH -priv-key

SSH Public Key authentication – works only after a physical login

Related Question