# SSH key problem

## Kurogane

Hi,

i've a problem with SSH key for some reason refuse to use they key. The wierd think i can get working via root not as user.

Here some logs.

SSH client

```
 # ssh -vvv -i id_ed25519 user@192.168.3.4

OpenSSH_7.3p1-hpn14v11, OpenSSL 1.0.2k  26 Jan 2017

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolving "192.168.3.4" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to 192.168.3.4 [192.168.3.4] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: key_load_public: No such file or directory

debug1: identity file id_ed25519 type -1

debug1: key_load_public: No such file or directory

debug1: identity file id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.3p1-hpn14v11

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5p1-hpn14v12

debug1: match: OpenSSH_7.5p1-hpn14v12 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to 192.168.3.4:22 as 'user'

debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"

debug3: record_hostkey: found key type ED25519 in file /root/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from 192.168.3.4

debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug1: AUTH STATE IS 0

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com,zlib

debug2: compression stoc: none,zlib@openssh.com,zlib

debug2: languages ctos:

debug2: languages stoc:

debug2: first_kex_follows 0

debug2: reserved 0

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos:

debug2: languages stoc:

debug2: first_kex_follows 0

debug2: reserved 0

debug1: kex: algorithm: curve25519-sha256@libssh.org

debug1: kex: host key algorithm: ssh-ed25519

debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ssh-ed25519 SHA256:F4/5IPeyvrbGtSm7/ZWfTHPH7v9zirkjv/sRNRYi/sc

debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"

debug3: record_hostkey: found key type ED25519 in file /root/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from 192.168.3.4

debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"

debug3: record_hostkey: found key type ED25519 in file /root/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from 192.168.3.4

debug1: Host '192.168.3.4' is known and matches the ED25519 host key.

debug1: Found key in /root/.ssh/known_hosts:1

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug2: key: id_ed25519 ((nil)), explicit

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey,keyboard-interactive

debug3: start over, passed a different list publickey,keyboard-interactive

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Trying private key: id_ed25519

debug3: sign_and_send_pubkey: ED25519 SHA256:VPNIf/5mN/b11UIBPERy6VhkYe6oMcWrVty+SnP+mqk

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey,keyboard-interactive

debug2: we did not send a packet, disable method

debug3: authmethod_lookup keyboard-interactive

debug3: remaining preferred: password

debug3: authmethod_is_enabled keyboard-interactive

debug1: Next authentication method: keyboard-interactive

debug2: userauth_kbdint

debug3: send packet: type 50

debug2: we sent a keyboard-interactive packet, wait for reply

debug3: receive packet: type 60

debug2: input_userauth_info_req

debug2: input_userauth_info_req: num_prompts 1

Password:
```

remote SSH server

```
drwx------ 1 user user 4096 Jun 23 21:50 .ssh

-rw------- 1 user user  399 Jun 23 21:50 id_ed25519

-rw-r--r-- 1 user user   90 Jun 23 21:50 id_ed25519.pub
```

----------

## NeddySeagoon

Kurogane,

At the remote end /home/<user>/.ssh/authorized_keys needs to contain the ssh public keys that <user> is permitted to connect with.

Thats often as simple as using scp to copy a .pub file from the local system to the remote system and renaming in on the way.

ssh is also picky about access to the content of  /home/<user>/.ssh.  Files need to be owned by the user and have mode 600. e.g.

```
-rw------- 1 roy roy     270 Jan 16  2012 id_ecdsa.pub
```

----------

## Kurogane

You're damn right. How i forgot the authorized_keys. 

How you notice this?

----------

## NeddySeagoon

Kurogane,

I guessed that 

```
id_ecdsa.pub
```

was supposed to be authorized_keys.

Your log also shows that no challenge was issued, which is a pointer to authorized_keys being empty.

The key(s) in authorized_keys are used to encrypt the challenge. You can only decrypt it if you have one of the corresponding private keys.

----------

