[SGVLUG] SSH Keys / Trusted Authentication
Emerson, Tom
Tom.Emerson at wbconsultant.com
Thu May 4 17:24:25 PDT 2006
Hmmm... I think I see something subtle...
> -----Original Message----- Of Sean O'Donnell
>
> I did notice a failure when logging in to ssh in verbose
> mode, that I didn't receive (or perhaps notice) yesterday...
> 'debug1: PEM_read_PrivateKey failed'
>
> Here is the log, just in case...
>
> OpenSSH_4.3p1, OpenSSL 0.9.7e 25 Oct 2004
[...]
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Next authentication method: publickey
OK, so it's going to try the keys you've set up...
> debug1: Offering public key: /home/myid/.ssh/id_rsa
> debug1: Server accepts key: pkalg ssh-rsa blen 277
> debug1: PEM_read_PrivateKey failed
However a straight read of the key file failed, SO...
> debug1: read PEM private key done: type <unknown>
> Enter passphrase for key '/home/myid/.ssh/id_rsa':
THIS IS THE SUBTLE part: note it is asking for the passphrase of your
KEY, not the PASSWORD OF THE REMOTE SERVER...
> debug1: read PEM private key done: type RSA
Here you've entered the key, and *I SUSPECT* the "passphrase" you have
for your key IS ALSO THE PASSWORD you are using on the remote system
[what do I win?]
> debug1: Authentication succeeded (publickey).
THIS TIME the "read" process succeeds, and sure enough the remote server
did indeed use your private key.
Unfortunately, using a private key doesn't avoid a password/passphrase
-- it only transfers which system asks for the information. In order to
not be prompted, your private key needs to not have a passphrase
associated with it. [why would anyone do this? It makes /some/ sense
for automated processes and/or unattended servers. In these cases, the
private key should only be "readable" by it's creator; and in turn the
"creator" needs to be a process without shell access so a "real person"
cannot log on as that ID and read the file...]
I can't remember offhand, but does SSH have something similar to
gpg-agent? Gpg-agent acts as a go-between between the user and any
process trying to read your .secring; it caches the "key" for a set
period of time (such as 5 minutes) so that you enter your password once,
and for the next few minutes any process that needs you to "unlock" the
key will succeed without prompting you. In your example, a checkin/out
operation ends up prompting for the passphrase a half dozen times, which
I would imagine happens over the span of no more than a minute, right?
In this case, an "agent" program would prompt you once and supply the
unlocked private key for the remaining 5 or 6 connections...
[oh, wait, I see that at the end of Claude's response, so...]
More information about the SGVLUG
mailing list