ssh-keygen -vvvv -t ecdsa-sk -O resident
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
debug3: start_helper: started pid=16581
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x21, challenge len 0 with-pin
debug1: sshsk_enroll: using random challenge
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: ssh_sk_enroll: using device /dev/hidraw2
debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_PIN_AUTH_BLOCKED
debug1: sshsk_enroll: provider "internal" returned failure -1
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: ssh-sk-helper: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=16581
Key enrollment failed: invalid format
No one had this error on Google, or at least there are no solutions for that.
What is happening? My yubikey is plugged and I tried to touch it or put the PIN
I got a similar issue but with the debug error FIDO_ERR_PIN_NOT_SET. And that was due to the fact that my FIDO2 pin wasn't set in the Yubikey manager (Applications -> FIDO2)...
So I would assume that your error is due to a locked pin somehow. I would try to change the FIDO2 PIN and/or reset it completely if I were you.
I had similar issue, error was Key enrollment failed: invalid format. I fixed it (on Manjaro) by installing newer version of libfido2 (version 1.12.0-5) and upgrading system, and then this worked:
ssh-keygen -O no-touch-required -t ecdsa-sk -vvv
It printed some info about codes, which was different then previous ones, and I am able to use this key.
Related
I am trying to ssh to the remote client using a public key but I keep getting the permission denied (publickey) error and can't solve it. I have tried all the other solutions online, but it still won't work. I have replaced some information with * and ip_add. How do I resolve this issue?
PS C:\WINDOWS\system32> ssh -v -i C:/Users/*/.ssh/id_rsa administrator#ip_add
OpenSSH_for_Windows_7.6p1, LibreSSL 2.6.4
debug1: Connecting to ip_add [ip_add] port 22.
debug1: Connection established.
debug1: identity file C:/Users/*/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file C:/Users/*/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_8.1
debug1: match: OpenSSH_for_Windows_8.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to ip_add:22 as 'administrator'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:qjxnj9GZZ6kvey+qvHsEoJYnLTz4N82DtnmFMjRlrq8
debug1: Host '192.168.1.135' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\*/.ssh/known_hosts:2
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:+ymSxB9gd+AJe9wYj0WgW70Qk+x4fWxEQhk1JCQyKWE C:/Users/*/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
administrator#ip_add: Permission denied (publickey).
A file or directory with a name that starts with '.' in Unix/Linux is hidden, but in Windows it is not. .ssh is a regular file or directory name. It may be hidden, but then you have to set the hidden attribute, for instance with the command attrib +h .ssh
Also, there is no need to specify -i identityfilename as it defaults to C:\users\<user>\.ssh\known_hosts
The log you show also confirms the host "ip_add" is found in that file. I would say the keys don't match. Easiest way to solve is to remove the line with the host name or IP address "ip_add" (with notepad or any text editor) and just repeat ssh -v administrator#ip_add.
Provided the host with that name or address exists, this will prompt you
The authenticity of host 'ip_add (192.168.1.135)' can't be established.
ECDSA key fingerprint is SHA256:JxuqbzMam5Mgpa52B+xUsSd/3F6kb+yghZKnDX6ipQU.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
and when you respond with yes the host will be added to the known_hosts file again, this time with a correct fingerprint. And the connection should be established.
this is a late answer but I had the same issue
Windows can't see hidden things
First thing (but has nothing to do with the problem) : avoid the Power Shell(it is too powerful), use a simply CMD or best use the Git Bash (https://gitforwindows.org/)
Second, your syntax is almost OK, but you placed the keys in hidden folder
C:\Users\yourname\.ssh\id_rsa and you should place it in a folder that is not hidden like this C:\Users\yourname\ssh\id_rsa and then you can access it like this :
C:\WINDOWS\system32> cd C:\Users\yourname\
C:\Users\yourname/> ssh <user>#<ssh_server> -p 22 -i ~/ssl/id_rsa
Where do you know?
debug1: No more authentication methods to try.
means definitively that you have not the same keys on your host and on remote , or there is a key here and no key there (or combinations of this) it has checked them all and says that "there are NO MORE keys to try".
You must place the same keys on both places in a way the system can read them. You pay attention to this 2 lines:
debug1: identity file C:/Users/*/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
he was not able to read the key in the local hidden folder. So ... by moving it in a not hidden folder it will work.
I recently encountered a similar problem on Windows 10 and found the root cause (sort of) and the solution.
My tool chain involved was:
Visual Studio 2019 with git using ssh protocol and a key pair
Sourcetree also using git
A private bitbucket server.
My scenario was this: I installed Visual Studio 2019 with git using ssh protocol with my key pairs and was using it successfully, and then I installed Sourcetree (to get hunk commits instead of whole file commits) and Sourcetree worked but Visual Studio no longer could use git sync/commits.
The key to solving the problem was adding this environment variable: GIT_SSH_COMMAND=ssh -vvv
After restarting Visual Studio I could then get verbose information about the ssh failure using git.
The important debug output was this:
debug1: send_pubkey_test: no mutual signature algorithm
This is when I realized that something was incompatible between my key pair and bitbucket server ssh algorithm. I did not diagnose the exact problem (which I believe is due to obsolete RSA keys) but instead I simply created a new key pair using:
ssh-keygen -t ed25519
then uploaded to the bitbucket server and "bob's your uncle"
12 hours to find, 2 minutes to fix.
I got this same error and searched around for quite a while, changed the permission on my private key, created a new non-admin user to connect with, tried a few other things. Followed these links (among others):
https://geekrewind.com/how-to-set-up-ssh-key-login-with-windows-11/
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement
For me, the issue was I had created my keypair using puttygen and OpenSSH on Windows didn't like the format of my PUBLIC key (I had already exported the private key to .pem format).
In my authorized_keys file, the original format was:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "xxxx"
xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx
---- END SSH2 PUBLIC KEY ----
changed it to:
ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
all on one line, no line breaks, no comment, and everything worked fine.
I know this is an old thread, but hopefully this helps someone.
I'm currently experiencing issues generating a U2F public/private key-pair in the terminal with the following command:
ssh-keygen -t ecdsa-sk -vv
Running this command provides the following error:
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: start_helper: starting /usr/local/Cellar/openssh/8.3p1/libexec/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: ssh_sk_enroll: using device IOService:/AppleACPIPlatformExpert/PCI0#0/AppleACPIPCI/XHC1#14/XHC1#14000000/HS07#14200000/Yubikey 4 OTP+U2F+CCID#14200000/IOUSBHostInterface#1/AppleUserUSBHostHIDDevice
debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_RX
debug1: sshsk_enroll: provider "internal" returned failure -1
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: ssh-sk-helper: reply len 8
debug1: client_converse: helper returned error -4
Key enrollment failed: invalid format
I'm running MacOS with the latest version of OpenSSH updated to:
OpenSSH_8.3p1, OpenSSL 1.1.1g 21 Apr 2020
My current version of libfido2 is: 1.4.0 installed via Homebrew.
My Yubikey model is: Yubikey C Nano FIPS
My Yubikey firmware is: 4.4.5
Does anyone know what the origins of this error are? Does the Yubikey FIPS series not support this command?
It appears that the issue causing this problem was an admin password placed on U2F functionality before I ever received the Yubikey from my work. You can't generate a U2F ecdsa-sk public/private keypair with an admin password in place.
I am trying to ssh in to a google compute engine using gcloud and this used to work fine. But for some reason I have been hitting a wall for a while now. It works fine from the console. The instance is box-standard default instance.
I keep getting
google compute ssh test
sign_and_send_pubkey: signing failed: agent refused operation
Permission denied (publickey).
and more verbosely
google compute ssh test -vvv
...
bug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/mike/.ssh/google_compute_engine
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fpSHA256:bW6Bpi2N67+MIGbRkfLRcdl5ghxQWOAtiRiYazy1JXU
debug3: sign_and_send_pubkey: RSA SHA256:bW6Bpi2N67+MIGbRkfLRcdl5ghxQWOAtiRiYazy1JXU
sign_and_send_pubkey: signing failed: agent refused operation
I have tried with a fresh project, but the same result. Re-installed google cloud sdk, same result. I must be missing some setting value, but I have no idea what I am missing. I have ssh keys (the standard ones created by gcloud, called google_compute_engine(.pub) in my .ssh directory.
Any suggestions would be appreciated.
Cheers, Mike
After trying loads of things, I found that
sudo apt-get autoremove gnome-keyring
ssh-add -D
a reboot resolved this.
So I am using a SSH.Net library to do some stuff from my .Net application to trigger stuff on a remote Mac OS device.
After I changed user's password I managed to break the functionality somehow and system.log shows me the following message:
WARNING: no suitable primes in /etc/ssh/primes
The library itself gives me this message:
An exception of type 'Renci.SshNet.Common.SshAuthenticationException' occurred in Renci.SshNet.dll but was not handled in user code
Additional information: No suitable authentication method found to complete authentication.
SSHD debug gives me this message:
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: inetd sockets after dupping: 5, 5
Connection from 172.16.115.19 port 44670 on 192.168.202.110 port 2222
debug1: Client protocol version 2.0; client software version Renci.SshNet.SshClient.0.0.1
debug1: no match: Renci.SshNet.SshClient.0.0.1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug2: fd 5 setting O_NONBLOCK
debug2: Network child is on pid 569
debug1: list_hostkey_types: [preauth]
No supported key exchange algorithms [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 569
debug1: audit_event: unhandled event 12
I am guessing this has something to do with the keys that have changed after the password was changed, but I am not 100% sure here.
I am guessing this has something to do with the keys that have changed after the password was changed, but I am not 100% sure here.
No.
No supported key exchange algorithms [preauth]
talks about key exchange algorithms. The log is not complete (-ddd will tell you more) and from older version that is not much verbose in this level. But I can guess your server does not support anymore the method offered by your SSH.Net library.
I would go for upgrading the library in the first place. The second possibility is to allow legacy Kex algorithms on server, such as:
KexAlgorithms curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
in your sshd_config (basically adding diffie-hellman-group1-sha1 and diffie-hellman-group-exchange-sha1 which are not considered as a safe these days!).
I'm trying to get gitolite to work and have been stuck for hours. CentOS 6 server on my LAN.
I finally got ssh -vvv gitolite to work with this config file
Host gitolite
User gitolite
HostName srv
Port 2002
IdentityFile ~/.ssh/srv_gitolite_openssh
BUT it only works when I do this on the server to debug
sudo service sshd stop
sudo /usr/sbin/sshd -Dd
When sshd is running as a service, the connection fails.
http://pastebin.com/UHVS1sSK
Why does it work when I manually run sshd, but not with sshd as a service? It seems to use the same sshd_config file, because it uses the same port number. Also, my username gitolite is in the AllowUsers part of the config.
The success case looks like this:
http://pastebin.com/x4TcrG4R
Update: Here are the server-side logs
fail as a service: http://pastebin.com/Xce2k2x5
success: http://pastebin.com/jYgiDhEm
highlights from the fail case are below. Shouldn't the "key_from_blob" be the same in both cases? I've tried removing the command part of the authorized_keys and it still fails as a service.
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x7f72b6e93350
debug1: temporarily_use_uid: 505/505 (e=0/0)
debug1: trying public key file /var/lib/gitolite/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 505/505 (e=0/0)
debug1: trying public key file /var/lib/gitolite/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for gitolite from 192.168.1.201 port 57488 ssh2
debug3: mm_answer_keyallowed: key 0x7f72b6e93350 is not allowed
debug3: mm_request_send entering: type 22
highlights from the success case:
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x7f4d79de18b0
debug1: temporarily_use_uid: 505/505 (e=0/0)
debug1: trying public key file /var/lib/gitolite/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/var/lib/gitolite/.ssh'
debug3: secure_filename: checking '/var/lib/gitolite'
debug3: secure_filename: terminating check at '/var/lib/gitolite'
debug2: key_type_from_name: unknown key type 'command="/var/lib/gitolite/bin/gitolite-shell'
debug3: key_read: missing keytype
debug2: user_key_allowed: check options: 'command="/var/lib/gitolite/bin/gitolite-shell gitolite",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBrEOo5blAUXXSwXdxUxTOhBDHcjw2OzxGg6Vu4drzmUYL5uPxjWLGzuzcNkrYmlVqXr5UBqeSbkZh9W/0lLMcmiv5FLdIQ+J2m5lqHsEJLS8FImfJxfo2/LvboFy0NFOxF8GaHxeIWFp+YmwAlogO9gi1zgXK99DGc15W/edYwCw==
'
debug1: matching key found: file /var/lib/gitolite/.ssh/authorized_keys, line 2
Found matching RSA key: ae:92:1d:a7:7b:ec:75:7a:19:ac:28:75:b0:cc:27:8f
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x7f4d79de18b0 is allowed
I suspect the keys are working in both cases.
But running sshd as a service is different than running it from the current session: see "Why would I use “service sshd reload” in preference to “service sshd restart”?".
The service cancels all inherited environment variables, and keep only PATH and TERM.
Gitolite uses a forced command registered in ~gitolite/.ssh/authorized_keys, and there must be an environment variable missing (when sshd is run as a service) which prevents the execution of the command.
There was a similar case with "public key authentication fails ONLY when sshd is daemon":
SELinux is likely the cause.
The .ssh dir is probably mislabeled.
Look at /var/log/audit/audit.log. It should be labeled ssh_home_t.
Check with ls -laZ. Run restorecon -r -vv /root/.ssh if need be.