SSH not remembering keychain

Discussion in 'macOS' started by Wnt2bsleepin, May 23, 2013.

  1. Wnt2bsleepin, May 23, 2013
    Last edited: May 25, 2013

    Wnt2bsleepin macrumors newbie

    Joined:
    Oct 12, 2011
    #1
    Hello,

    I set up key authentication on my server. However, I cannot get the Keychain to remember the passphrase for the key itself. I have to enter it every time. I did some digging around and here are the results.

    command
    Code:
    ssh <name>
    -Requires the passphrase to be required everytime, even if it's entered into the keychain.
    -Works off a config file
    Code:
    Host mcftb
        User ftb
        Hostname ftb.host.com
        IdentityFile ~/.ssh/mcvps/ftbUser.private
        IdentitiesOnly yes
    
    Host mcbukkit
        User bukkit
        Hostname bukkit.host.com
        IdentityFile ~/.ssh/mcvps/bukkitUser.private
        IdentitiesOnly yes
    
    Host mcroot
        User root
        Hostname bukkit.host.com
        IdentityFile ~/.ssh/mcvps/rootUser.private
        IdentitiesOnly yes
    
    Host pbUser
        User bUser
        Hostname hostB.com
        IdentityFile ~/.ssh/personalServer/bUser.private
        IdentitiesOnly yes
    
    Host pbackup
        User rUser
        Hostname hostB.com
        IdentityFile ~/.ssh/personalServer/rUser.private
        IdentitiesOnly yes
    
    Host pbUser
        User bUser
        Hostname hostB.com
        IdentityFile ~/.ssh/personalServer/bUser.private
        IdentitiesOnly yes
    
    Host proot
        User root
        Hostname hostB.com
        IdentityFile ~/.ssh/personalServer/rootUser.private
        IdentitiesOnly yes
    
    Host wsroot
        User root
        Hostname hostC.com
        IdentityFile ~/.ssh/webserver/rootUser
        IdentitiesOnly yes
    
    Host wsadmin
        User Admin
        Hostname hostC.com
        IdentityFile ~/.ssh/webserver/Admin.private
        IdentitiesOnly yes
    
    The second option works with me not having to enter my passphrase everytime

    command:
    Code:
    ssh -v -i .ssh/webserver/rootUser root@host.com
    However, it seems to be trying every key that it can find.

    output:
    Code:
    sh -v -i .ssh/webserver/rootUser root@host.com
    OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
    debug1: Reading configuration data /Users/User/.ssh/config
    debug1: Reading configuration data /etc/ssh_config
    debug1: /etc/ssh_config line 20: Applying options for *
    debug1: Connecting to host.com [192.xx.xxx.xxx] port 22.
    debug1: Connection established.
    debug1: identity file .ssh/webserver/rootUser type -1
    debug1: identity file .ssh/webserver/rootUser-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
    debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.9
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Server host key: RSA 59:41:b3:35:11:91:4c:4b:99:78:42:2a:8f:bb:ad:68
    debug1: Host 'host.com' is known and matches the RSA host key.
    debug1: Found key in /Users/User/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    
    
    /**Here is where it starts offering the keys**/
    
    debug1: Offering RSA public key: /Users/USer/.ssh/personalServer/rootUser.private
    debug1: Authentications that can continue: publickey
    debug1: Offering RSA public key: /Users/User/.ssh/mcvps/rootUser.private
    debug1: Authentications that can continue: publickey
    debug1: Offering RSA public key: rootuser.private
    debug1: Authentications that can continue: publickey
    debug1: Offering RSA public key: .ssh/webserver/rootUser
    debug1: Server accepts key: pkalg ssh-rsa blen 149
    debug1: Authentication succeeded (publickey).
    Authenticated to host.com ([192.xx.xxx.xx]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: Sending environment.
    debug1: Sending env LANG = en_US.UTF-
    
    It asks for the passphrase if I force the Identity
    Code:
    ssh -v -o "IdentitiesOnly yes" -i .ssh/webserver/rootUser root@host.com
    Output:
    Code:
    OpenSSL 0.9.8r 8 Feb 2011
    debug1: Reading configuration data /Users/User/.ssh/config
    debug1: Reading configuration data /etc/ssh_config
    debug1: /etc/ssh_config line 20: Applying options for *
    debug1: Connecting to host.com [192.xx.xxx.xx] port 22.
    debug1: Connection established.
    debug1: identity file .ssh/webserver/rootUser type -1
    debug1: identity file .ssh/webserver/rootUser-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
    debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.9
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Server host key: RSA 59:41:b3:35:11:91:4c:4b:99:78:42:2a:8f:bb:ad:68
    debug1: Host 'host.com' is known and matches the RSA host key.
    debug1: Found key in /Users/User/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Trying private key: .ssh/webserver/rootUser
    debug1: key_parse_private_pem: PEM_read_PrivateKey failed
    debug1: read PEM private key done: type <unknown>
    debug1: No more authentication methods to try.
    Permission denied (publickey).
    
    I know this is a lot. Any help is much appreciated
     
  2. mfram macrumors 65816

    Joined:
    Jan 23, 2010
    Location:
    San Diego, CA USA
    #2
    Why do you have a separate key for each host? The idea is that you create one public/private key pair on your Mac to be "you". Then you copy the public key to the various hosts you want to authenticate to. Add the public key to the .ssh/authorized_keys or .ssh/authorized_keys2 file as appropriate. The first time you SSH with your key, you enter the passphrase. After that you won't have to enter a password again.
     
  3. Wnt2bsleepin thread starter macrumors newbie

    Joined:
    Oct 12, 2011
    #3
    I have a key for each account on each host. I also handed out a key to say a limited user to another person, while I have access to the root account as well as all the other accounts.

    I could limit it so that I have a key that is the same for my being, but I would still want to keep separate keys for the root accounts for each host. I also have accounts that.

    Am I thinking about this the wrong way?
     
  4. mfram macrumors 65816

    Joined:
    Jan 23, 2010
    Location:
    San Diego, CA USA
    #4
    Again, you can have multiple public keys that are authorized to use each account. So you can add your own public key and the other guy can add his public key to authorize to that shared account. You don't have to share private keys.

    When you connect to the host, you can specify which user to log in as.

    ssh account@host

    If your public key is authorized to multiple accounts on the host, you can select which account you want to connect as.

    If you insist on having multiple private keys that mean "you", then you can use ssh-add to add multiple identities to your ssh agent. You will have to do this each time you log in. But once you are logged in you will not have to enter the passphrase for each account more than once.
     

Share This Page