Enter Passphrase for Id rsa pub Bad Passphrase Try Again for Id rsa pub
Last updated on 08/27/2020
This guide demonstrates how to setup automatic OpenSSH RSA public-key authentication for Windows (using OpenSSH v3.8.1p1-i) and Linux (using OpenSSH v5.3p1) PCs currently working with password authentication on a local network. The information for this guide was tested on PCs with WinXP and Lubuntu and may be applicable to other versions of Linux and Windows. You will demand physical access to both PCs.
Public-key Cryptography
Public-key cryptography uses of a pair of matching keys, a public primal and a individual key, which are created at the same time using a key generation utility (ssh-keygen.exe is the primal generation utility used in OpenSSH). A public central tin can be known to anyone and is used to encrypt information. The but way to decrypt information encrypted with the public key is with the matching private fundamental. Although the two keys are related, a individual key can't be created from its matching public key. Public-fundamental cryptography is widely used for public-primal authentication to enable secure logins to servers without passwords and for digital or electronic signatures, and for certifying the authenticity of data signed by the private fundamental.
The importance for using pubic primal authentication can be summed upwards in this argument from the Ubuntu help pages: "If your SSH server is visible over the Internet, y'all should use public central hallmark instead of passwords if at all possible. If you don't think it'southward of import, try logging all of the malicious login attempts yous get for the next week. My reckoner – a perfectly ordinary desktop PC – had over 4,000 attempts to judge my password and about ii,500 burglary attempts in the last week lone."
OpenSSH Public-key Hallmark
OpenSSH can use either the RSA or DSA algorithms for public-primal authentication. RSA stands for Rivest, Shamir and Adleman, the last names of the MIT team members who adult it. DSA stands for Digital Signature Algorithm, a US Government standard proposed past the National Institute of Standards and Technology. Although there are arguments for and against using one or the other, RSA is often the preferred selection because of its verification speed and key strength. See What is better for GPG keys – RSA or DSA? for a discussion on on this topic.
Steps for RSA Public-cardinal Authentication
The post-obit steps volition setup RSA public-key authentication keys without a passphrase to enable automated logins betwixt Linux to Windows PCs on a local network. The instructions volition exist similar to setting up public-key authentication on remote hosts, except that SSH port 22 (if using the default port) must be forwarded to access remote servers from behind a router. When creating keys without a passphrase, as in this guide, make sure to place the public key on trusted hosts equally it'southward possible to compromise the remote computer should your individual key fall into the wrong hands.
From the Windows PC
Step 1 – Generate Public Keys for the Windows PC
On the Windows PC, open a CMD window and type in the following command and hit ENTER to create a RSA fundamental of 2048-bits (the default). The -t option specifies the type of fundamental:
ssh-keygen -t rsa
Note: If you go a command is not recognized fault, your path is incorrect. In this case, change to the bin folder where OpenSHH is installed to run the command.
When the control is executed, you will exist prompted for a location to save the keys, and then for a passphrase as shown beneath. Striking ENTER to accept the default locations and to gear up NO passphrase.
Output:
Generating public/private rsa key pair Enter file in which to save the key (/home/username/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/username/.ssh/id_rsa Your public key has been saved in /home/username/.ssh/id_rsa.pub
The public key will be saved as .ssh/id_rsa.pub and your private key saved as .ssh/id_rsa in your dwelling house binder. The home directory was setup for the user(south) when OpenSSH was installed and configured.
Step ii – Transfer Public Fundamental to Linux PC
For the public key to exist usable, information technology must be appended to the .ssh/authorized_keys file on the Linux estimator and/or on other hosts you log into. If an authorized_keys file does not be in your Linux reckoner'due south home .ssh directory, create it. Likewise create a directory named "otherkeys". The public cardinal (ending in .pub) should exist copied to "/domicile/username/.ssh/otherkeys" on the Linux computer using a USB drive, another medium, or remotely through Windows file sharing, SCP, or with SSH if it'due south already working. Make sure to simply copy the key and not move it.
After transferring the public fundamental, at the Linux PC, open a terminal window or remotely connect to it and navigate to the .ssh folder in your home directory, and append the public key using the command beneath:
true cat otherkeys/id_rsa.pub >> authorized_keys
Note: the primal tin as well exist cut and pasted into the authorized_keys file using a text editor
OR – remotely copying and appending the cardinal with SCP and SSH
To remotely copy the public key to the Linux PC using SCP, enter the following in a command window. Note that at that place is no command for appending to a file using SCP. You will be asked for your password to apply SCP remotely from the Windows PC:
scp ~/.ssh/id_rsa.pub [e-mail protected]:/.ssh/otherkeys/
log in to the Linux PC with SSH, cd to the .ssh folder and execute the following control to append the key:
cat ~/.ssh/otherkeys/id_rsa.pub >> authorized_keys
Stride 3 – Edit sshd_config
Open up a control window and try to authenticate automatically to the Linux PC from the Windows PC using SSH. Make sure the SSH server was started on the Linux PC. It should work. If not, continue with the residue of this step and then recheck.
To troubleshoot the SSH public-key cryptography hallmark processes, you can use the verbose pick switch (-v) in the ssh control when logging in:
ssh -five [e-mail protected]
If hallmark didn't work, goto the Linux PC and check that the permissions of the .ssh directory are set to octal 700. If not, utilise the following command from the Linux PC to modify it:
# chmod 700 ~/.ssh/authorized_keys
If error messages were observed relating to the known_hosts file, discover and delete the entries in the known_hosts file in the user .ssh directory of the Windows PC. The entries causing the errors will exist numbered in the error message. After deleting the offending entry in the known_hosts file, exam again to determine whether you tin log onto the Linux PC without using a password.
After verifying you tin can log into the Linux PC without using a countersign, password authentication will still piece of work should RSA not work for any reason, which is a security vulnerability. Countersign authentication tin can be turned off completely by changing the following entries in the etc/ssh/sshd_config file on the Linux PC. To use RSA authentication exclusively, make the following changes to the sshd_config to strength public-central authentication and disable password authentication:
PasswordAuthentication no PubkeyAuthentication yes RSAAuthentication yep
After saving the file, restart the Linux PC SSH server using sudo /etc/init.d/ssh restart from a terminal on the Linux PC before logging in.
____________________________________________________________________________________
From the Linux PC
The steps are essentially the same as the previous steps with a few minor differences from the previous instructions
Step 1 – Generate Public Keys for the Linux Computer
From the Linux PC, open up a final and type in the following control and hit ENTER to create a RSA key of 2048-bits (the default). The -t pick specifies the type of fundamental:
ssh-keygen -t rsa
When the command is executed, you will be prompted for a location to relieve the keys, and and then for a passphrase as shown below. Hit ENTER to accept the default locations and to fix NO passphrase.
Output:
Generating public/private rsa key pair Enter file in which to salve the key (/home/username/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/username/.ssh/id_rsa Your public key has been saved in /habitation/username/.ssh/id_rsa.pub
The public key will exist saved every bit .ssh/id_rsa.pub and your private key saved as .ssh/id_rsa in your home binder.
Pace two – Transfer Public Key to Windows PC
For the public primal to be usable, it must exist appended to the .ssh/authorized_keys file on the Windows calculator, other Linux PCs, and/or other hosts you log into. If the authorized_keys file does not exist in the user'southward Windows .ssh directory, create it. Also create a directory named "otherkeys". The public key (ending in .pub) should exist copied to "\home\username\.ssh\otherkeys" on the Windows computer using a USB drive, another medium, or remotely with file sharing, SCP, or with SSH if information technology's already working. Make sure to only re-create the key and non move it.
After transferring the public fundamental, at the Windows PC, navigate to the .ssh folder in your home directory, and append the public fundamental to the authorized_keys file using the command below:
copy /b authorized_keys + otherkeys\id_rsa.pub authorized_keys
Note: the primal can also be cut and pasted into the authorized_keys file using a text editor
OR – remotely copy the key using SCP and append it locally
To remotely re-create the public key from the Linux PC to the Windows PC with SCP, enter the post-obit in a terminal window. Note that there is no command for appending to a file using SCP. You lot will be asked for your countersign to use SCP remotely from the Linux PC. (Annotation that Windows doesn't provide a way to easily append the public key remotely to the authorized_key file from the command-line)
scp ~/.ssh/id_rsa.pub [email protected]:.ssh/otherkeys/
This copies the public key to the otherkeys folder.
Physically log into the Windows PC and utilise an editor such as notepad or some other app to append the key into the authorized_keys file.
OR – remotely copy the key using SCP to overwrite the authorized_keys file (circumspection: this overwrites the authorized_keys file. Utilise simply if the authorized_keys file is empty or if it doesn't affair if previous content is lost!)
execute the post-obit to overwrite the authorized_keys file with your public key:
scp ~/.ssh/id_rsa.pub [email protected]:.ssh/authorized_keys
Step 3 – Edit sshd_config
In a terminal window attempt to log into the Windows PC with public-fundamental authentication using SSH. Make sure the SSH server was started on the Windows PC. Information technology should work. If not, continue with the residue of this stride and then recheck.
To troubleshoot the SSH public-key cryptography authentication processes, you lot can use the verbose option switch (-five) in the ssh command as follows when logging in:
ssh -v [electronic mail protected]
If fault letters errors were observed relating to the known_hosts file, notice and delete those entries in the known_hosts file in the user .ssh directory in the Linux PC earlier continuing. The entries causing the errors will be numbered in the error message.
Afterwards deleting the offending entry in the known_hosts file, test once again to determine whether you tin log onto the Windows PC without using a password.
Subsequently verifying y'all tin log into the Windows PC without using a password, password authentication will nevertheless work should RSA not piece of work for any reason, which is besides a security vulnerability. Countersign authentication can be turned off completely past irresolute the post-obit entries in the OpenSSH\etc\sshd_config file on the Windows PC. To use RSA authentication exclusively, make the following changes to the sshd_config file to force public-key authentication and disable password authentication:
Note: If you nevertheless are unable to log in with pubic-key authentication at this point, do not make the following changes to the sshd_config file to strength public-key authentication since you may need to login locally using your password with tools such as WinSCP. See below troubleshooting procedures:
StrictModes no PasswordAuthentication no PubkeyAuthentication yes RSAAuthentication yes
After saving the sshd_config file, restart the Windows PC SSH server first by stopping it using net stop opensshd and then restarting information technology using net start opensshd in a command window on the Windows PC to permit the config file to take effect before logging in.
If public-key authentication even so doesn't work, the almost likely cause is that that the read/write/admission permissions for the .ssh directory or for OpenSSH for the Windows PC are incorrect. Run across the beneath troubleshooting procedures below for farther information.
Troubleshooting Windows OpenSSH server issues:
File permissions issues are a notorious problem for getting public-key hallmark to work for OpenSSH on Windows. It's probably the about confusing and nigh difficult issue to resolve. After much research and troubleshooting, I got it to piece of work following this source from osdir.com. Still, it'south uncertain whether it was one, all, or a combination of the suggestions that fixed the trouble. In any case, below is a summary of the suggestions and how they were followed.
The tool used to change file permissions for the instructions below was WinSCP, with 127.0.0.1 as the host proper name and SFTP as the protocol (see screenshot below).
Permission changes were made using the properties window equally shown in the screenshot below:
Here are the suggestions from osdir.com and how each was followed. Suggestions are preceded by an asterisk "*" and how the suggestions were followed are in assuming :
*Change ownership of OpenSSH folder/subfolders to Administrators using Windows Explorer – Performed this for the folder and all subfolders using WinSCP.
*Grant Administrators full command of the OpenSSH folder – Aforementioned as above using Octal 0700
*From a control prompt, blazon "cacls c:\programme files\openssh /t /e /c /1000 Administrators:F" * – Performed this for the c:\ssh binder, which was the OpenSSH folder on my PC.
Edit sshd_config file and set StrictModes to "no" – Inverse the StrictModes entry to "no" and saved the file
*Nether the user'southward profile, grant Administrators (and only Administrators) total control of the .ssh folder and files – Did this for all folders and files for .ssh in the user directory (C:\Documents and Settings\user\.ssh).
*If this folder does non be, it can be created by establishing an SSH connexion to some other box – Skipped. The .ssh file already existed
*On clients only, copy the private RSA primal to the local .ssh folder and name it "id_rsa" – Skipped. The individual keys already existed.
*Copy the client's public RSA key to the desired server(s) by adding information technology to an "authorized_keys" text file located nether the server's .ssh folder – Skipped. Done previously.
* To utilise publickey authentication, employ the SSH command line switch "-o PreferredAuthentications=publickey". Alternately, you tin modify the ssh_config file to make this the default – Skipped.
If the above instructions worked:
Decide whether to apply RSA authentication exclusively. If so, edit the sshd_config file per the instructions above.
Annotation: many instructions on various web sites suggest copying public keys to the user's .ssh directory on the server. If you do, make sure to place them in a separate folder such every bit a otherkeys folder or some other name such equally username_key since existing public keys (id_rsa.pub) will be overwritten if multiple PCs are used to access the aforementioned auto.
If you have found a spelling error, please, notify united states by selecting that text and pressing Ctrl+Enter.
Source: https://cects.com/openssh-rsa-authentication-for-windows-and-linux/
0 Response to "Enter Passphrase for Id rsa pub Bad Passphrase Try Again for Id rsa pub"
Post a Comment