# [SOLVED] Keychain woes

## slackline

Hi,

I've been using RSA keys with keychain as per the Gentoo Wiki for some time without any problem.  I've succesfully set things up between...

 Home server

 Laptop

 Raspberry Pi B

 Raspberry Pi2

 Android phone

 Work computer

Never any problem.  However I got a new computer at work and have gone with Gentoo again (what else would I use?) and have followed the Gentoo Wiki on Keychain again, or at least I thought I had but I may well have done something wrong as I can't SSH into it without being asked for my password (not RSA key password).  I have had no problem setting up the new computer (hamilton) and sharing its public key to allow me to SSH to my old computer (morgan) or my home server (kimura), but can not for the life of me see where I've gone wrong sharing the public keys from old/home servers (morgan/kimura) with the new computer (hamilton)

Step 1 Copy public key from old work computer (morgan) to new (hamilton)

```

me@morgan $ cat ~/.ssh/id_rsa.pub 

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5HzuM1xSje7d9+8q/33n//vi7r1gjITgaKegPxNmkFbdDryWMOKH+fm6TRaZJaEvtlyY1wLXqoWyXFkhpr7QKU5cCNL9ZtnToHaHAQkM6NiV2PsNTQ2wTHwDwXu+0uO3Ucvwz21BOFOxHO5TzYpNG3jaxc8u+l63004Y6R2dJhH7YK0Cl1QZfqWd4lfK+tu1PFpGfPbfR3F8MvVtn2Uzbj0c+LsAixffMIbcvkOVFjZ4WdwyGxj6bjxgzWzFxAjQMZ/#####################################################################################== me@morgan

```

```

me@hamilton $ grep morgan ~/.ssh/authorized.keys 

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5HzuM1xSje7d9+8q/33n//vi7r1gjITgaKegPxNmkFbdDryWMOKH+fm6TRaZJaEvtlyY1wLXqoWyXFkhpr7QKU5cCNL9ZtnToHaHAQkM6NiV2PsNTQ2wTHwDwXu+0uO3Ucvwz21BOFOxHO5TzYpNG3jaxc8u+l63004Y6R2dJhH7YK0Cl1QZfqWd4lfK+tu1PFpGfPbfR3F8MvVtn2Uzbj0c+LsAixffMIbcvkOVFjZ4WdwyGxj6bjxgzWzFxAjQMZ/#####################################################################################== me@morgan

```

Step 2 Check to see I'm being asked for the password for my RSA key

```

me@morgan $ ssh me@hamilton

me@morgan ~ $ ssh me@hamilton

Password: 

 * keychain 2.8.1 ~ http://www.funtoo.org

 * Found existing ssh-agent: 8064

 * Known ssh key: /home/me/.ssh/id_rsa

me@hamilton ~ $ 

```

I was expecting to be asked for my id_rsa.pub key here.  Lets check whether sshd is configured to use public key authentication on hamilton (it has by default on all other systems)...

```

# grep -i key /etc/ssh/sshd_config

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

#HostKey /etc/ssh/ssh_host_ecdsa_key

#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

# Ciphers and keying

#RekeyLimit default none

#PubkeyAuthentication yes                        <<<< Default option, shouldn't need changing

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

# but this is overridden so installations will only check .ssh/authorized_keys

#AuthorizedKeysFile   .ssh/authorized_keys                        <<<< Default option, shouldn't need changing

#AuthorizedKeysCommand none

#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

# Change to no to disable s/key passwords

```

Step 3 Look in more detail at whats going on with ssh

I decide to compare the verbose output from ssh to see if I could figure out whats going on.

SSH from hamilton to morgan (both on same network at work)

```

$ ssh me@morgan -v

OpenSSH_7.1p1-hpn14v5, OpenSSL 1.0.2d 9 Jul 2015

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to morgan [143.167.138.142] port 22.

debug1: Connection established.

debug1: identity file /home/me/.ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file /home/me/.ssh/id_rsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/m/.ssh/id_dsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/me/.ssh/id_dsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/me/.ssh/id_ed25519 type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/me/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.1p1-hpn14v5

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.9p1-hpn14v5

debug1: match: OpenSSH_6.9p1-hpn14v5 pat OpenSSH* compat 0x04000000

debug1: Authenticating to morgan:22 as 'me'

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: AUTH STATE IS 0

debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'

debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none

debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'

debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ssh-ed25519 SHA256:Ii35uqVF6yfypnBi4+koroT40/HtCjttfUIpc3sLuM4

debug1: Host 'morgan' is known and matches the ED25519 host key.

debug1: Found key in /home/me/.ssh/known_hosts:3

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /home/me/.ssh/id_rsa

debug1: Server accepts key: pkalg ssh-rsa blen 279

debug1: Authentication succeeded (publickey).

Authenticated to morgan ([143.167.138.142]:22).

debug1: Final hpn_buffer_size = 2097152

debug1: HPN Disabled: 0, HPN Buffer Size: 2097152

debug1: channel 0: new [client-session]

debug1: Enabled Dynamic Window Scaling

debug1: Requesting no-more-sessions@openssh.com

debug1: Entering interactive session.

debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0

debug1: Sending environment.

debug1: Sending env LANG = en_GB.utf8

 * keychain 2.8.1 ~ http://www.funtoo.org

 * Found existing ssh-agent: 16997

 * Known ssh key: /home/me/.ssh/id_rsa

me@morgan ~ $ 

```

Great I can SSH without passwords using RSA keys/keychain from hamilton > morgan.

SSH from morgan to hamilton

```

me@morgan ~ $ ssh me@hamilton -v

OpenSSH_6.9p1-hpn14v5, OpenSSL 1.0.2d 9 Jul 2015

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to hamilton [143.167.138.42] port 22.

debug1: Connection established.

debug1: identity file /home/me/.ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file /home/me/.ssh/id_rsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/me/.ssh/id_dsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/me/.ssh/id_dsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/me/.ssh/id_ecdsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/me/.ssh/id_ecdsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/me/.ssh/id_ed25519 type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/me/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.9p1-hpn14v5

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1p1-hpn14v5

debug1: match: OpenSSH_7.1p1-hpn14v5 pat OpenSSH* compat 0x04000000

debug1: Authenticating to hamilton:22 as 'me'

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: AUTH STATE IS 0

debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'

debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none

debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'

debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ssh-ed25519 SHA256:YSjoUHKU5aZ/OizZ7hr+0WqGJKBr0OqiC9TDPh2+U+k

debug1: Host 'hamilton' is known and matches the ED25519 host key.

debug1: Found key in /home/me/.ssh/known_hosts:51

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server                     <<<<<<<<<<<< This isn't reported when SSHing the other way

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,keyboard-interactive,hostbased

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /home/me/.ssh/id_rsa                      <<<<<<<<<<<< When this is offered SSHing the other way its accepted?

debug1: Authentications that can continue: publickey,keyboard-interactive,hostbased

debug1: Trying private key: /home/me/.ssh/id_dsa

debug1: Trying private key: /home/me/.ssh/id_ecdsa

debug1: Trying private key: /home/me/.ssh/id_ed25519

debug1: Next authentication method: keyboard-interactive

Password: 

debug1: Authentication succeeded (keyboard-interactive).

Authenticated to hamilton ([143.167.138.42]:22).

debug1: Final hpn_buffer_size = 2097152

debug1: HPN Disabled: 0, HPN Buffer Size: 2097152

debug1: channel 0: new [client-session]

debug1: Enabled Dynamic Window Scaling

debug1: Requesting no-more-sessions@openssh.com

debug1: Entering interactive session.

debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0

debug1: Sending environment.

debug1: Sending env LANG = en_GB.UTF-8

 * keychain 2.8.1 ~ http://www.funtoo.org

 * Found existing ssh-agent: 8064

 * Known ssh key: /home/me/.ssh/id_rsa

me@hamilton ~ $ 

```

I've noticed that Roaming isn't enabled on the server and a quick search led to this thread which suggested the 'Roaming not allowed on this server' message was down to the 'HostbasedAuthentication' on hamilton not being set to 'yes'.

I tried this (and restarted sshd obviously) but to no avail, and its not set on morgan.

I've started afresh three times now and keep on getting the same result so I'm either making the same stupid mistake or theres something I'm completely misunderstanding and am pretty stumped.

Any pointers, thoughts, suggestions or solutions would be very much appreciated.

Thanks in advance,

slackline

----------

## kikko

Hi slackline

I've spotted a possible typo in your config: 

 *slackline wrote:*   

> 
> 
> ```
> me@hamilton $ grep morgan ~/.ssh/authorized.keys 
> ```
> ...

 

According to your configuration (which is default one) that file should be "~/.ssh/authorized_keys" instead

```
#AuthorizedKeysFile   .ssh/authorized_keys                        <<<< Default option, shouldn't need changing

```

Regards

----------

## slackline

 *kikko wrote:*   

> Hi slackline
> 
> I've spotted a possible typo in your config: 
> 
>  *slackline wrote:*   
> ...

 

Thank you so very much, how I made that typo I've no idea, probably habit from working with files with periods between sections of file names.

----------

