# [SOLVED] SSH passwordless user authentication fails.

## C5ace

After not using  ssh passwordless authentication for 3 weeks and a unknown number of updates, ssh passwordless authentication for User stopped working with my 4 systems on my home lan. ssh root@box2.home.lan works O.K. from root@box1.home.lan with /etc/ssh/sshd_config PermitRootLogin yes.

I unmerged openssh, 'emerge --depclean', deleted /etc/ssh and ~/.ssh and 'emerge net-misc/openssh' on box1 and box2. Rebooted box1 and box2. /etc/ssh contained the new keys.

Logged in as User on box1 and followed: https://wiki.gentoo.org/wiki/SSH#Passwordless_authentication (Passwordless authentication)

No success with ssh user@box2/home/lan. ssh root@box2/home.lan works OK.

Then rm /home/user/.ssh* and rm /root/.ssh/*.

Single machine testing with user@box1.home.lan:

```

user@box1 ~/Desktop $ cd ..

user@box1 ~ $ cd .ssh

user@box1 ~/.ssh $ ls -l

total 0

# user@box1 ~/.ssh is empty

user@box1 ~/.ssh $ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/user/.ssh/id_rsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /home/user/.ssh/id_rsa.

Your public key has been saved in /home/user/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:wynqfF2kRIjk3r4ao1kBDsGT4O7vhxnv42EZp+Qbx4I user@box1

The key's randomart image is:

+---[RSA 2048]----+

|= .... .         |

|.= .. . .        |

|..o .  .         |

|.o o . ....      |

| .. ooooSo       |

|.  .++*....      |

| . EXO.+ .       |

|  .O.*B..        |

|  +oB*o          |

+----[SHA256]-----+

user@box1 ~/.ssh $ 

# Generated RSA Key

user@box1 ~/.ssh $ cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

# Copied id_rsa.pub to authorized_keys

user@box1 ~/.ssh $ ssh localhost

The authenticity of host 'localhost (127.0.0.1)' can't be established.

ECDSA key fingerprint is SHA256:I+ATkfO/51bluHoN+LYFP7DsRFd4H+WaHB1BEsg0T5Y.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

Password: # NOTE: Entered user password to continue. 

                 # Should not have request a password!

# Now the 'user' is loged in via SSH into localhost

user@box1 ~ $ exit

logout

Connection to localhost closed.

# user Logged out from SSH localhost

user@box1 ~/.ssh $ 

# SSH into localhost with -vvv debug flags

user@box1 ~/.ssh $ ssh -vvv localhost

OpenSSH_7.9p1, OpenSSL 1.0.2r  26 Feb 2019

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolving "localhost" port 22

debug2: ssh_connect_direct

debug1: Connecting to localhost [127.0.0.1] port 22.

debug1: Connection established.

debug1: identity file /home/user/.ssh/id_rsa type 0

debug1: identity file /home/user/.ssh/id_rsa-cert type -1

debug1: identity file /home/user/.ssh/id_dsa type -1

debug1: identity file /home/user/.ssh/id_dsa-cert type -1

debug1: identity file /home/user/.ssh/id_ecdsa type -1

debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1

debug1: identity file /home/user/.ssh/id_ed25519 type -1

debug1: identity file /home/user/.ssh/id_ed25519-cert type -1

debug1: identity file /home/user/.ssh/id_xmss type -1

debug1: identity file /home/user/.ssh/id_xmss-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_7.9

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9

debug1: match: OpenSSH_7.9 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to localhost:22 as 'user'

debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/user/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from localhost

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com,zlib

debug2: compression stoc: none,zlib@openssh.com,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: curve25519-sha256

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:I+ATkfO/51bluHoN+LYFP7DsRFd4H+WaHB1BEsg0T5Y

debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/user/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from localhost

debug1: Host 'localhost' is known and matches the ECDSA host key.

debug1: Found key in /home/user/.ssh/known_hosts:1

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug1: Will attempt key: /home/user/.ssh/id_rsa RSA SHA256:wynqfF2kRIjk3r4ao1kBDsGT4O7vhxnv42EZp+Qbx4I

debug1: Will attempt key: /home/user/.ssh/id_dsa 

debug1: Will attempt key: /home/user/.ssh/id_ecdsa 

debug1: Will attempt key: /home/user/.ssh/id_ed25519 

debug1: Will attempt key: /home/user/.ssh/id_xmss 

debug2: pubkey_prepare: done

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey,keyboard-interactive

debug3: start over, passed a different list publickey,keyboard-interactive

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:wynqfF2kRIjk3r4ao1kBDsGT4O7vhxnv42EZp+Qbx4I

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

#### NOTE: root: debug3: receive packet: type 60

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Trying private key: /home/user/.ssh/id_dsa

debug3: no such identity: /home/user/.ssh/id_dsa: No such file or directory

debug1: Trying private key: /home/user/.ssh/id_ecdsa

debug3: no such identity: /home/user/.ssh/id_ecdsa: No such file or directory

debug1: Trying private key: /home/user/.ssh/id_ed25519

debug3: no such identity: /home/user/.ssh/id_ed25519: No such file or directory

debug1: Trying private key: /home/user/.ssh/id_xmss

debug3: no such identity: /home/user/.ssh/id_xmss: No such file or directory

debug2: we did not send a packet, disable method

debug3: authmethod_lookup keyboard-interactive

debug3: remaining preferred: password

debug3: authmethod_is_enabled keyboard-interactive

debug1: Next authentication method: keyboard-interactive

debug2: userauth_kbdint

debug3: send packet: type 50

debug2: we sent a keyboard-interactive packet, wait for reply

debug3: receive packet: type 60

debug2: input_userauth_info_req

debug2: input_userauth_info_req: num_prompts 1

Password: # NOTE: There should be no request for a password. 

          # Entered user password to continue.

debug3: send packet: type 61

debug3: receive packet: type 60

debug2: input_userauth_info_req

debug2: input_userauth_info_req: num_prompts 0

debug3: send packet: type 61

debug3: receive packet: type 52

debug1: Authentication succeeded (keyboard-interactive).

Authenticated to localhost ([127.0.0.1]:22).

debug1: channel 0: new [client-session]

debug3: ssh_session2_open: channel_new: 0

debug2: channel 0: send open

debug3: send packet: type 90

debug1: Requesting no-more-sessions@openssh.com

debug3: send packet: type 80

debug1: Entering interactive session.

debug1: pledge: network

debug3: receive packet: type 80

debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0

debug3: receive packet: type 4

debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/user

debug3: receive packet: type 91

debug2: channel_input_open_confirmation: channel 0: callback start

debug2: fd 3 setting TCP_NODELAY

debug3: ssh_packet_set_tos: set IP_TOS 0x48

debug2: client_session2_setup: id 0

debug2: channel 0: request pty-req confirm 1

debug3: send packet: type 98

debug1: Sending environment.

debug3: Ignored env LS_COLORS

debug3: Ignored env XDG_MENU_PREFIX

debug1: Sending env LANG = en_AU.UTF-8

debug2: channel 0: request env confirm 0

debug3: send packet: type 98

debug3: Ignored env QT_GRAPHICSSYSTEM

debug3: Ignored env LESS

debug3: Ignored env DISPLAY

debug3: Ignored env OPENGL_PROFILE

debug3: Ignored env OLDPWD

debug3: Ignored env CONFIG_PROTECT_MASK

debug3: Ignored env EDITOR

debug1: Sending env COLORTERM = truecolor

debug2: channel 0: request env confirm 0

debug3: send packet: type 98

debug3: Ignored env GCC_SPECS

debug3: Ignored env SSH_AUTH_SOCK

debug3: Ignored env GLADE_CATALOG_PATH

debug3: Ignored env VBOX_APP_HOME

debug3: Ignored env USER

debug3: Ignored env GLADE_MODULE_PATH

debug3: Ignored env PAGER

debug3: Ignored env DESKTOP_SESSION

debug1: Sending env LC_COLLATE = C

debug2: channel 0: request env confirm 0

debug3: send packet: type 98

debug3: Ignored env PWD

debug3: Ignored env MANPAGER

debug3: Ignored env HOME

debug3: Ignored env SSH_AGENT_PID

debug3: Ignored env GSETTINGS_BACKEND

debug3: Ignored env XDG_DATA_DIRS

debug3: Ignored env GLADE_PIXMAP_PATH

debug3: Ignored env GTK_MODULES

debug3: Ignored env MAIL

debug3: Ignored env CONFIG_PROTECT

debug3: Ignored env TERM

debug3: Ignored env VTE_VERSION

debug3: Ignored env SHELL

debug3: Ignored env XDG_CURRENT_DESKTOP

debug3: Ignored env MOZ_GMP_PATH

debug3: Ignored env SHLVL

debug3: Ignored env MANPATH

debug3: Ignored env WINDOWID

debug3: Ignored env LOGNAME

debug3: Ignored env DBUS_SESSION_BUS_ADDRESS

debug3: Ignored env XSESSION

debug3: Ignored env XAUTHORITY

debug3: Ignored env XDG_CONFIG_DIRS

debug3: Ignored env PATH

debug3: Ignored env INFOPATH

debug3: Ignored env XDG_SESSION_COOKIE

debug3: Ignored env SESSION_MANAGER

debug3: Ignored env LESSOPEN

debug3: Ignored env _

debug2: channel 0: request shell confirm 1

debug3: send packet: type 98

debug2: channel_input_open_confirmation: channel 0: callback done

debug2: channel 0: open confirm rwindow 0 rmax 32768

debug3: receive packet: type 99

debug2: channel_input_status_confirm: type 99 id 0

debug2: PTY allocation request accepted on channel 0

debug2: channel 0: rcvd adjust 2097152

debug3: receive packet: type 99

debug2: channel_input_status_confirm: type 99 id 0

debug2: shell request accepted on channel 0

user@box1 ~ $

user@box1 ~ $

user@box1 ~ $ exit

logout

debug3: receive packet: type 96

debug2: channel 0: rcvd eof

debug2: channel 0: output open -> drain

debug2: channel 0: obuf empty

debug2: channel 0: chan_shutdown_write (i0 o1 sock -1 wfd 5 efd 6 [write])

debug2: channel 0: output drain -> closed

debug3: receive packet: type 98

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0

debug3: receive packet: type 98

debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0

debug2: channel 0: rcvd eow

debug2: channel 0: chan_shutdown_read (i0 o3 sock -1 wfd 4 efd 6 [write])

debug2: channel 0: input open -> closed

debug3: receive packet: type 97

debug2: channel 0: rcvd close

debug3: channel 0: will not send data after close

debug2: channel 0: almost dead

debug2: channel 0: gc: notify user

debug2: channel 0: gc: user detached

debug2: channel 0: send close

debug3: send packet: type 97

debug2: channel 0: is dead

debug2: channel 0: garbage collecting

debug1: channel 0: free: client-session, nchannels 1

debug3: channel 0: status: The following connections are open:

  #0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock -1 cc -1)

debug3: send packet: type 1

debug3: fd 1 is not O_NONBLOCK

Connection to localhost closed.

Transferred: sent 3000, received 2816 bytes, in 12.6 seconds

Bytes per second: sent 237.3, received 222.7

debug1: Exit status 0

user@box1 ~/.ssh $ 

# Logout completed
```

Single machine testing with root@box1.home.lan:

```

box1 ~ # 

box1 ~ # cd /root/.ssh

box1 ~/.ssh # ls -l

total 0

# root@box1 ~/.ssh is empty

box1 ~/.ssh # ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:+ixXpR0+mreR8CDa+YGi9RDcXH8qThtgqHP2CAAq65A root@box1

The key's randomart image is:

+---[RSA 2048]----+

|                 |

|                 |

|.         .      |

|..   . + . .o    |

|o .   + S o=...  |

|.o . . * =o+++   |

|E   + O +.=o=.   |

|o    B.O.+o=..   |

| .  . .o= +...   |

+----[SHA256]-----+

box1 ~/.ssh # 

# Generated RSA Key

 

box1 ~/.ssh # cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

# Copied id_rsa.pub to authorized_keys

 

box1 ~/.ssh # ssh localhost

The authenticity of host 'localhost (127.0.0.1)' can't be established.

ECDSA key fingerprint is SHA256:I+ATkfO/51bluHoN+LYFP7DsRFd4H+WaHB1BEsg0T5Y.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

# NOTE: No password requested

# Now root loged in via SSH into localhost

box1 ~ # exit

logout

Connection to localhost closed.

# root logged out from SSH localhost

box1 ~/.ssh # 

# SSH into localhost with -vvv debug flags

box1 ~/.ssh # ssh -vvv localhost

OpenSSH_7.9p1, OpenSSL 1.0.2r  26 Feb 2019

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolving "localhost" port 22

debug2: ssh_connect_direct

debug1: Connecting to localhost [127.0.0.1] port 22.

debug1: Connection established.

debug1: identity file /root/.ssh/id_rsa type 0

debug1: identity file /root/.ssh/id_rsa-cert type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: identity file /root/.ssh/id_dsa-cert type -1

debug1: identity file /root/.ssh/id_ecdsa type -1

debug1: identity file /root/.ssh/id_ecdsa-cert type -1

debug1: identity file /root/.ssh/id_ed25519 type -1

debug1: identity file /root/.ssh/id_ed25519-cert type -1

debug1: identity file /root/.ssh/id_xmss type -1

debug1: identity file /root/.ssh/id_xmss-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_7.9

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9

debug1: match: OpenSSH_7.9 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to localhost:22 as 'root'

debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from localhost

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com,zlib

debug2: compression stoc: none,zlib@openssh.com,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: curve25519-sha256

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:I+ATkfO/51bluHoN+LYFP7DsRFd4H+WaHB1BEsg0T5Y

debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from localhost

debug1: Host 'localhost' is known and matches the ECDSA host key.

debug1: Found key in /root/.ssh/known_hosts:1

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:+ixXpR0+mreR8CDa+YGi9RDcXH8qThtgqHP2CAAq65A

debug1: Will attempt key: /root/.ssh/id_dsa 

debug1: Will attempt key: /root/.ssh/id_ecdsa 

debug1: Will attempt key: /root/.ssh/id_ed25519 

debug1: Will attempt key: /root/.ssh/id_xmss 

debug2: pubkey_prepare: done

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey,keyboard-interactive

debug3: start over, passed a different list publickey,keyboard-interactive

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:+ixXpR0+mreR8CDa+YGi9RDcXH8qThtgqHP2CAAq65A

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 60

debug1: Server accepts key: /root/.ssh/id_rsa RSA SHA256:+ixXpR0+mreR8CDa+YGi9RDcXH8qThtgqHP2CAAq65A

debug3: sign_and_send_pubkey: RSA SHA256:+ixXpR0+mreR8CDa+YGi9RDcXH8qThtgqHP2CAAq65A

debug3: sign_and_send_pubkey: signing using rsa-sha2-512

debug3: send packet: type 50

debug3: receive packet: type 52

debug1: Authentication succeeded (publickey).

Authenticated to localhost ([127.0.0.1]:22).

debug1: channel 0: new [client-session]

debug3: ssh_session2_open: channel_new: 0

debug2: channel 0: send open

debug3: send packet: type 90

debug1: Requesting no-more-sessions@openssh.com

debug3: send packet: type 80

debug1: Entering interactive session.

debug1: pledge: network

debug3: receive packet: type 80

debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0

debug3: receive packet: type 4

debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding

debug3: receive packet: type 4

debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding

debug3: receive packet: type 91

debug2: channel_input_open_confirmation: channel 0: callback start

debug2: fd 3 setting TCP_NODELAY

debug3: ssh_packet_set_tos: set IP_TOS 0x48

debug2: client_session2_setup: id 0

debug2: channel 0: request pty-req confirm 1

debug3: send packet: type 98

debug1: Sending environment.

debug3: Ignored env LS_COLORS

debug3: Ignored env XDG_MENU_PREFIX

debug1: Sending env LANG = en_AU.UTF-8

debug2: channel 0: request env confirm 0

debug3: send packet: type 98

debug3: Ignored env QT_GRAPHICSSYSTEM

debug3: Ignored env LESS

debug3: Ignored env DISPLAY

debug3: Ignored env OPENGL_PROFILE

debug3: Ignored env OLDPWD

debug3: Ignored env CONFIG_PROTECT_MASK

debug3: Ignored env EDITOR

debug1: Sending env COLORTERM = truecolor

debug2: channel 0: request env confirm 0

debug3: send packet: type 98

debug3: Ignored env GCC_SPECS

debug3: Ignored env SSH_AUTH_SOCK

debug3: Ignored env GLADE_CATALOG_PATH

debug3: Ignored env VBOX_APP_HOME

debug3: Ignored env USER

debug3: Ignored env GLADE_MODULE_PATH

debug3: Ignored env PAGER

debug3: Ignored env DESKTOP_SESSION

debug1: Sending env LC_COLLATE = C

debug2: channel 0: request env confirm 0

debug3: send packet: type 98

debug3: Ignored env PWD

debug3: Ignored env HOME

debug3: Ignored env MANPAGER

debug3: Ignored env SSH_AGENT_PID

debug3: Ignored env GSETTINGS_BACKEND

debug3: Ignored env XDG_DATA_DIRS

debug3: Ignored env GLADE_PIXMAP_PATH

debug3: Ignored env GTK_MODULES

debug3: Ignored env MAIL

debug3: Ignored env CONFIG_PROTECT

debug3: Ignored env SHELL

debug3: Ignored env VTE_VERSION

debug3: Ignored env TERM

debug3: Ignored env XDG_CURRENT_DESKTOP

debug3: Ignored env MOZ_GMP_PATH

debug3: Ignored env SHLVL

debug3: Ignored env MANPATH

debug3: Ignored env WINDOWID

debug3: Ignored env LOGNAME

debug3: Ignored env DBUS_SESSION_BUS_ADDRESS

debug3: Ignored env XSESSION

debug3: Ignored env XAUTHORITY

debug3: Ignored env XDG_CONFIG_DIRS

debug3: Ignored env PATH

debug3: Ignored env INFOPATH

debug3: Ignored env XDG_SESSION_COOKIE

debug3: Ignored env SESSION_MANAGER

debug3: Ignored env LESSOPEN

debug3: Ignored env _

debug2: channel 0: request shell confirm 1

debug3: send packet: type 98

debug2: channel_input_open_confirmation: channel 0: callback done

debug2: channel 0: open confirm rwindow 0 rmax 32768

debug3: receive packet: type 99

debug2: channel_input_status_confirm: type 99 id 0

debug2: PTY allocation request accepted on channel 0

debug2: channel 0: rcvd adjust 2097152

debug3: receive packet: type 99

debug2: channel_input_status_confirm: type 99 id 0

debug2: shell request accepted on channel 0

box1 ~ # 

box1 ~ # 

box1 ~ # exit

logout

debug3: receive packet: type 96

debug2: channel 0: rcvd eof

debug2: channel 0: output open -> drain

debug2: channel 0: obuf empty

debug2: channel 0: chan_shutdown_write (i0 o1 sock -1 wfd 5 efd 6 [write])

debug2: channel 0: output drain -> closed

debug3: receive packet: type 98

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0

debug3: receive packet: type 98

debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0

debug2: channel 0: rcvd eow

debug2: channel 0: chan_shutdown_read (i0 o3 sock -1 wfd 4 efd 6 [write])

debug2: channel 0: input open -> closed

debug3: receive packet: type 97

debug2: channel 0: rcvd close

debug3: channel 0: will not send data after close

debug2: channel 0: almost dead

debug2: channel 0: gc: notify user

debug2: channel 0: gc: user detached

debug2: channel 0: send close

debug3: send packet: type 97

debug2: channel 0: is dead

debug2: channel 0: garbage collecting

debug1: channel 0: free: client-session, nchannels 1

debug3: channel 0: status: The following connections are open:

  #0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock -1 cc -1)

debug3: send packet: type 1

debug3: fd 1 is not O_NONBLOCK

Connection to localhost closed.

Transferred: sent 3312, received 3252 bytes, in 23.8 seconds

Bytes per second: sent 139.2, received 136.6

debug1: Exit status 0

box1 ~/.ssh #
```

Anyway to fix this?

----------

## DawgG

you're making it complicated... deleting and reinstalling everything was probably not necessary.

1. pass the ssh-command the username of the taget-system if this is not the same as the local user; eg 

```
ssh -l root target-system
```

 of course, that user must exist and have a shell on the target system.

2. if you use different keys for different users make sure all the needed ssh-keys.pub (in authorzed_keys) are in the right path(s). if you use more than one key.pub 

```
cp key.pub authorized_keys
```

 will not work (use 

```
cat keys.pub >> authorized_keys
```

)

3. different openssh-server-versions might not accept all key-formats (ecdsa etc.) so you might have to use different ones. but this is probably no problem in a gentoo-only environment.

GOOD LUCK!

----------

## Syl20

I think authorized_keys file permissions are wrong. So sshd considers it's unsafe, and ignores it.

To be sure all is right, delete authorized_keys and use the ssh-copy-id command.

----------

## szatox

Well, the problem seems to be server-side.

Try "tail -f <log> | grep sshd" on /var/log/syslog or /var/log/everything/current or wherever your logger dumps that stuff and connect with ssh again. Sshd is pretty straight about its problems, there's a good chance it will simply tell you what's wrong.

----------

## Ant P.

 *Quote:*   

> 
> 
> ```
> debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/user 
> ```
> ...

 

----------

## Hu

 *C5ace wrote:*   

> with /etc/ssh/sshd_config PermitRootLogin yes.

 Did you intend to allow password-based root login?  This is generally discouraged.  Set PermitRootLogin prohibit-password to allow root to log in via key, but prohibit attempts to log in via password.

 *C5ace wrote:*   

> I unmerged openssh, 'emerge --depclean', deleted /etc/ssh and ~/.ssh and 'emerge net-misc/openssh' on box1 and box2. Rebooted box1 and box2. /etc/ssh contained the new keys.

 This was almost certainly the wrong thing to do.  Change your host keys only if they have been breached (or you suspect they were breached).  Changing them without prior announcement will lead your clients to believe a MitM is under way. *C5ace wrote:*   

> Password: # NOTE: Entered user password to continue. 
> 
>                  # Should not have request a password!

 If you set PasswordAuthentication no in your sshd_config, you will not receive a password prompt here.

----------

## C5ace

 *Ant P. wrote:*   

>  *Quote:*   
> 
> ```
> debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/user 
> ```
> ...

 

[SOLVED]

As "Ant P." pointed out this was a permission problem probably caused by a changes or a bug in ssh and/or related software. 

After using ssh with password:

```

user1@box1 / $ls -la /home/user1/.ssh

drwx------  2 user1 user1 4096 Apr 13 12:48 .

drwxrwxrwx 60 user1 user1 4096 Apr 13 12:49 ..

-rw-r--r--  1 user1 user1  189 Apr 13 12:48 known_hosts
```

After deleting /home/user1/.ssh and running 'ssh-keygen -t rsa' and 'ssh-copy-id user1@box2.home.lan:

```

user@box1 / $ ls -la /home/user1/.ssh

total 20

drwx------  2 user1 user1 4096 Apr 13 12:48 .

drwxrwxrwx 60 user1 user1 4096 Apr 13 12:49 .. 

-rw-------  1 user1 user1 1823 Apr 13 10:54 id_rsa

-rw-r--r--  1 user1 user1  396 Apr 13 10:54 id_rsa.pub

-rw-r--r--  1 user1 user1  189 Apr 13 12:48 known_hosts
```

Requires password to login to user1@box2.home.lan[/code]

Changed /home/user1/.ssh/'..' permissions from 777 to 755 on both box1 and box2. Now passwordless ssh works again.

```

user1@proxy-64 / $ ls -la /home/user1/.ssh

total 20

drwx------  2 user1 user1 4096 Apr 13 12:48 .

drwxr-xr-x 60 user1 user1 4096 Apr 13 12:49 ..

-rw-------  1 user1 user1 1823 Apr 13 10:54 id_rsa

-rw-r--r--  1 user1 user1  396 Apr 13 10:54 id_rsa.pub

-rw-r--r--  1 user1 user1  189 Apr 13 12:48 known_hosts

user1@proxy-64 / $
```

Thanks "Ant P." for pointing me to the right direction.

----------

## C5ace

 *Hu wrote:*   

>  *C5ace wrote:*   with /etc/ssh/sshd_config PermitRootLogin yes. Did you intend to allow password-based root login?  This is generally discouraged.  Set PermitRootLogin prohibit-password to allow root to log in via key, but prohibit attempts to log in via password.
> 
>  *C5ace wrote:*   I unmerged openssh, 'emerge --depclean', deleted /etc/ssh and ~/.ssh and 'emerge net-misc/openssh' on box1 and box2. Rebooted box1 and box2. /etc/ssh contained the new keys. This was almost certainly the wrong thing to do.  Change your host keys only if they have been breached (or you suspect they were breached).  Changing them without prior announcement will lead your clients to believe a MitM is under way. *C5ace wrote:*   Password: # NOTE: Entered user password to continue. 
> 
>                  # Should not have request a password! If you set PasswordAuthentication no in your sshd_config, you will not receive a password prompt here.

 

Thanks for your concern.

Password-based root login is for maintenance. This was never a problem on my 4 systems home lan used by my wife, myself and occasionally my neighbour's 5 year old kid.

----------

## Tony0945

 *Quote:*   

>  'ssh-keygen -t rsa' and 'ssh-copy-id user1@box2.home.lan:

 

You ran these as user1 on box1, right? And this allows you to logon as user1 on box2 with ssh without password, correct?

Repeat for root?

Last year I tried to set this up using the wiki but got thoroughly confused as to which box was server and which was client because the connection seems peer to peer to me.

----------

## C5ace

 *Tony0945 wrote:*   

>  *Quote:*    'ssh-keygen -t rsa' and 'ssh-copy-id user1@box2.home.lan: 
> 
> You ran these as user1 on box1, right? And this allows you to logon as user1 on box2 with ssh without password, correct?
> 
> Repeat for root?
> ...

 

I consider the box in font of me (unit1) the client and the remote box (unit2) the server.

Take care of the permissions of ~/.ssh when you configure passwordless ssh authentication between normal users. User 'root' to 'root' is not critical and works as per Wiki.

Good luck.

----------

## Syl20

 *C5ace wrote:*   

> Password-based root login is for maintenance. This was never a problem on my 4 systems home lan used by my wife, myself and occasionally my neighbour's 5 year old kid.

 

This was not, indeed. Until it will be. Sometimes, OpenSSH vulnerabilities are discovered.

The best is to completely forbid direct root logins. You can add user1 to the wheel group, to be able to log in as user1 and then become root through su or sudo. As the user1 key is allowed, you don't even have to type one more password.

----------

## Tony0945

That won't work well if you use scp in a script. It's also annoying if you use scp in a terminal, unless you use easy passwords like "mycat". If you use hard passwords like "A1F83539184D3F2F8CFCC3AFF7", it's a royal pain. If you set passwords off and require keys, then if the keys get corrupted, you have to physically go to the box and restore it or turn passwords back on.

Years ago I read about keys as a convenience to not having to remember passwords (or write them down). That they were a hard alternative to passwords was never mentioned.

----------

## Syl20

If "the best" isn't feasible, there are other methods to limit the opening to the strict minimum :

```
PermitRootLogin no

Match Address 192.168.X.X

  PermitRootLogin prohibit-password
```

or 

```
PermitRootLogin no

Match Address 192.168.X.X

  PermitRootLogin forced-commands-only
```

with a script containing the appropriate list of allowed commands (let's say /usr/local/sbin/ssh_commands.sh) :

```
#!/bin/sh 

case "$SSH_ORIGINAL_COMMAND" in 

  "scp ")  $SSH_ORIGINAL_COMMAND ;; 

  *)       false ;; 

esac 
```

and, into authorized_keys :

```
from="192.168.X.X",command="/usr/local/sbin/ssh_commands.sh" ssh-ed25519 AAAA...
```

----------

