nohup causes "read_passphrase: can't open /dev/tty" - ssh

I have a simple remote ssh command in script, nohupssh.sh
sleep 30
ssh -v -l developer server11 "/usr/local/jdk1.7.0_45/bin/jmap -histo:live 1770;"
I run the script as follows:
nohup nohupssh.sh > out.log 2>&1 &
When I execute it as shown above, the jmap utility successfully executes on the remote server. However, if I execute it as shown above and exit the bash shell, I get the error shown below.
Note that I have a properly formatted authorized_keys in both local and remote servers. Also note that there is NO id_rsa in either server since these servers are shared.
I've tried many combinations:
ssh -v -A -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null server11 ....
but to no avail. I've closely examined the man page for ssh for clues, trying various options. I presume there must be a single or set of ssh options that will solve this problem. The real script (rather than the abridged above) has scp as well. Hence, I hope the options that are eluding me will work for both scp and ssh.
The full verbose log is
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /home/developer/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to server11 [10.255.10.20] port 22.
debug1: fd 4 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/developer/.ssh/identity type -1
debug1: identity file /home/developer/.ssh/id_rsa type -1
debug1: identity file /home/developer/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
Warning: Permanently added 'server11,10.255.10.20' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
****************************************************************************
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored.
****************************************************************************
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/developer/.ssh/identity
debug1: Trying private key: /home/developer/.ssh/id_rsa
debug1: Trying private key: /home/developer/.ssh/id_dsa
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such device or address
ssh_askpass: exec(/usr/libexec/openssh/ssh-askpass): No such file or directory
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
ssh_askpass: exec(/usr/libexec/openssh/ssh-askpass): No such file or directory
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
ssh_askpass: exec(/usr/libexec/openssh/ssh-askpass): No such file or directory
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).

I had this read_passphrase: can't open /dev/tty error when my private key was wrongly formatted - instead of many lines, it was passed as a one-liner, and you might have any other format issue like a forgotten "-" at the start or end, or something wrong at the end of the lines, like a missing newline format or an additional letter at the end of a line.
See Dockerfile: clone repo with passwordless private key. Errors: “authentication agent” or “read_passphrase: can't open /dev/tty” for more details, in short:
The main error is caused by the
echo "$ssh_prv_key" > /root/.ssh/id_rsa
which passes a wrongly formatted ssh_prv_key, as just one line, although the private key needs many lines.
With the main idea from Add private key to ssh-agent in docker file, which again had the idea from Gitlab CI/Docker: ssh-add keeps asking for passphrase.

From the error log:
Authentications that can continue: publickey,password
Since you don't have a publickey set up ("there is NO id_rsa"), you need to enter a password to access the remote server, but you've disconnected stdin:
read_passphrase: can't open /dev/tty: No such device or address
SSH is not very amenable to hacks to automate password entry, so if you can't put an id_rsa on there, your best bet is to background and detach after entering the remote server's password. Try ^Z:
Run nohup nohupssh.sh > out.log 2>&1
Wait 30 seconds, then enter the remote server password
Hit control-Z
Run bg %1
You should now be able to exit the shell.

Related

MacOS cron job can't access ssh key with passphrase in key chain while computer sleeping

This problem is occurring on a MacStudio running Monterey 12.6.
I have a ksh script that issues an ssh command to connect to a NAS server. The script runs fine from terminal command line. It runs fine in cron when the Mac is not sleeping.
If I put the Mac to sleep (or if the cron runs overnight after my screen locks), it fails with:
Permission denied, please try again.
Permission denied, please try again.
AdminID#10.0.0.135: Permission denied (publickey,password).
I created the cron job in my user ID which has admin authority.
The ssh key was setup with a passphrase by my user ID using ssh-keygen. The key passphrase is in the 'local items' keychain. I've setup the associated public key on the NAS for the NAS AdminID (e.g. AdminID on NAS is just an alias for MyUserID). My .ssh/config file looks like:
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
User MyUserID
The script has code as follows:
if [[ $SSH_AGENT_SOCK == "" ]]; then
export SSH_AGENT_SOCK=$(/usr/sbin/lsof -a -w -p $(pgrep ssh-agent) -U -F -n | \
sed -n 's/^n//p')
fi
ssh -v -p 123 AdminID#10.0.0.135 exit
The mail that cron sent has the following:
Subject: Cron <MyUserID#MacStudio1> /Users/MyUserID/bin/BackupTasks.sh Test
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=MyUserID>
X-Cron-Env: <USER=MyUserID>
Message-Id: <20221023215731.617631C11C66#MacStudio1.localdomain>
Date: Sun, 23 Oct 2022 14:57:01 -0700 (MST)
CheckAccess: Error: Cannot ssh to AdminID#10.0.0.135::NetBackup/MacStudio1
OpenSSH_8.6p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/MyUserID/.ssh/config
debug1: /Users/MyUserID/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 10.0.0.135 [10.0.0.135] port 123.
debug1: Connection established.
debug1: identity file /Users/MyUserID/.ssh/id_rsa type 0
debug1: identity file /Users/MyUserID/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2
debug1: compat_banner: match: OpenSSH_8.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.0.0.135:123 as 'AdminID'
debug1: load_hostkeys: fopen /Users/MyUserID/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:1cNPPyeN3o/ncJlhdJWlzP8BSYmX1i3UX+pqTX8zAcU
debug1: load_hostkeys: fopen /Users/MyUserID/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: checking without port identifier
debug1: load_hostkeys: fopen /Users/MyUserID/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '10.0.0.135' is known and matches the ED25519 host key.
debug1: Found key in /Users/MyUserID/.ssh/known_hosts:1
debug1: found matching key w/out port
debug1: check_host_key: hostkey not known or explicitly trusted: disabling UpdateHostkeys
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/MyUserID/.ssh/id_rsa RSA SHA256:/fsQmP5UzRhE7Z08P3J5p362K3jPotWq3JxnVPccIMs explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519#openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256#openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/MyUserID/.ssh/id_rsa RSA SHA256:/fsQmP5UzRhE7Z08P3J5p362K3jPotWq3JxnVPccIMs explicit
debug1: Server accepts key: /Users/MyUserID/.ssh/id_rsa RSA SHA256:/fsQmP5UzRhE7Z08P3J5p362K3jPotWq3JxnVPccIMs explicit
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
NBadmin#10.0.0.10: Permission denied (publickey,password).
So it appears that I have connected to the ssh agent (SSH_AUTH_SOCK is the same as while in Terminal - i.e /private/tmp/com.apple.launchd.mwxteEeOeKa/Listeners ), so it appears the agent didn't shut down because the Mac is sleeping. I believe the above is saying it cannot get the passphrase from the keychain.
I'm not a keychain expert, but my understanding is there are three classes of keychain service:
Key is always accessible
Key is available from last login until next reboot.
Key is available while logged in.
I guessing my ssh key passphrase is in the third class mentioned above and that is why the passphrase is inaccessible.
So, anyway, I guess I'm looking for a reasonably secure way to run a cron job that needs an ssh key. I'm not sure whether I get logged out when the screen locks or not. Assuming I'm not logged out, I think I would be OK if the key remained accessible from last login to reboot (which is generally all the time - I don't shutdown). But I'm not sure how to get my ssh key into that class or whether this is not secure. This is a home computer and I'm basically the only user. The computer and NAS are on a local network behind an Xfinity gateway/modem.
Update: I tried setting the Energy Saver to Prevent Automatically Sleep When display is off, and then ran after locking the screen. It didn't help.
Things I haven't done:
Use a key without a passphase. (Not best for security - and then the key ends up in Time Machine and is set to the NAS and then the cloud - though planning on encrypting the data sent to cloud.)
Set up an SSH key for root and run the cron in root. (Probably not great to run in root in general).
Can anyone suggest a path forward?

sshd_config does not get overwritten via Yocto meta-layer and hence cannot connect to board

System
Hardware: PHYTEC PHYBOARD-Mira Board
Processor: NXP i.MX6 Quad
Yocto/OE branch: warrior
Initial steps
I have a custom layer called meta-mylayer where I wish to make changes to the images that I bring on the hardware. The meta-yogurt layer is provided by Phytec which consists of their apps and other board related software.
Within my Layer I have the following recipe for password:
# meta-mylayer/recipe-images/images/phytec-headless-image.bbappend
inherit extrausers
EXTRA_USERS_PARAMS = "usermod -P yocto2020 root;"
Upon executing bitbake -k phytec-headless-image and connecting the board via Serial Cable I am able to login the board with root:yocto2020 credentials, however upon ssh -l root <StaticIPBoard> I keep getting access denied.
Based on this toradex forum thread I execute the following command in the directory where all my meta layers are:
find . -name "*sshd_config*"
The result is as follows:
./meta-yogurt/recipes-connectivity/openssh/openssh/sshd_config
./poky/meta/recipes-connectivity/openssh/openssh/sshd_config
Hence I copy the sshd_config from the meta-yogurt layer and uncomment the following two lines:
AllowRootLogin Yes
PasswordAuthentication Yes
the structure of the recipe in my layer is as follows:
meta-mylayer/recipes-connectivity/
└── openssh
├── openssh
│   └── sshd_config # uncommented the necessary lines
└── openssh_%.bbappend
the content of the openssh_%.bbappend file is as follows:
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
the layer is already in the $BUILDDIR/conf/bblayers.conf so I proceed with bitbake -k phytec-headless-image and load the image on the board.
The command ssh -v -l root <STATICIP> throws the following errors:
$ ssh -v -l root 192.168.3.11
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.3.11 [192.168.3.11] port 22.
debug1: Connection established.
debug1: identity file /home/des/.ssh/id_rsa type 1
debug1: identity file /home/des/.ssh/id_rsa-cert type -1
debug1: identity file /home/des/.ssh/id_dsa type -1
debug1: identity file /home/des/.ssh/id_dsa-cert type -1
debug1: identity file /home/des/.ssh/id_ecdsa type -1
debug1: identity file /home/des/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/des/.ssh/id_ed25519 type -1
debug1: identity file /home/des/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9
debug1: match: OpenSSH_7.9 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-sha1-etm#openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 82:25:3c:5a:49:5e:61:ba:7c:0d:6b:b9:1d:78:9c:7c
debug1: Host '192.168.3.11' is known and matches the ECDSA host key.
debug1: Found key in /home/des/.ssh/known_hosts:46
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/des/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/des/.ssh/id_dsa
debug1: Trying private key: /home/des/.ssh/id_ecdsa
debug1: Trying private key: /home/des/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
root#192.168.3.11's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
sshd_config file
on the board via the Serial Port I do
cat /etc/ssh/sshd_config | grep -i "rootlogin"
and the AllowRootLogin option is still commented out!
Other alternatives
I tried devtool modify openssh and edited the sshd_config and added patches to my layer with SRC_URI_append and the results are still the same.
P.S. in the local.conf EXTRA_IMAGE_FEATURES += "debug-tweaks" is commented out.
Question
What needs to be done in order to reach the board via SSH with a password set of root user in my Yocto Layer?
The problem was EXTRA_IMAGE_FEATURES += "debug-tweaks". I mentioned that it was commented out in the conf/local.conf.
The solution was to uncomment it so that the effects take place.
Before:
conf/local.conf
#EXTRA_IMAGE_FEATURES += "debug-tweaks"
After:
EXTRA_IMAGE_FEATURES += "debug-tweaks"
and then build a new image using bitbake -k phytec-headless-image and ssh -l root <STATICIP> logs in with password

adding ssh public key to server

I'm trying to push my id_rsa.pub to server so I can ssh into it.
I've run the following command,
cat ~/.ssh/id_rsa.pub | ssh -v -p 12345 myname#123.45.67.8 'cat >> ~/.ssh/authorized_keys'
which returns the following debugging:
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to 123.45.67.8 [123.45.67.8] port 12345.
debug1: Connection established.
debug1: identity file /Users/myname/.ssh/id_rsa type 1
debug1: identity file /Users/myname/.ssh/id_rsa-cert type -1
debug1: identity file /Users/myname/.ssh/id_dsa type -1
debug1: identity file /Users/myname/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA [some server host key]
debug1: Host '[123.45.67.8]:12345' is known and matches the RSA host key.
debug1: Found key in /Users/myname/.ssh/known_hosts:6
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/myname/.ssh/github_rsa
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /Users/myname/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/myname/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).
I can't figure out what the problem is..
can anybody please help me out?
Key based authentication will only work if the authorized_keys has
Correct permissions.
Try to do a chmod 600 ~/.ssh/authorized_keys
Your command will only work if you can ssh to the server by entering a password. It also requires the dir ~/.ssh to be created on the remote server and lastly (as Jan-Erik Revsbech points out) the permissions on the local and the remote ~/.ssh needs to disallow others reading it.
If you instead use ssh-copy-id remote-server to copy your keys, then both the dir and permissions on the remote system will be set correctly. It will still require you to enter the password the first time, though.
Make sure to also set the correct owner :)
I tried ssh-copy-id remote-server as suggested by Ole and got an error like this:
Cannot write to .ssh/authorized_keys. Permission denied
The directory ~/.ssh as well as the file authorized_keys were already present on the server and set up with the right permission... but for the wrong user! Here is, what solved it:
chown right-user:right-user .ssh
chown right-user:right-user .ssh/authorized_keys
I changed the owner of the file and the directory. Then ssh-copy-id worked.

ssh password-less login to localhost

I am trying to setup password-less login into my localhost for a distributed computing tutorial. (I've set it up successfully for multiple remote hosts.) I went through the normal steps of generating an rsa key and appending the public key to authorized_keys but I am still prompted for a password. I've also enabled RSAAuthentication and PubKeyAuthentication in /etc/ssh_config. Following other suggestions I've seen, I tried:
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
But the problem persists.
Here is the output from ssh -v localhost:
(tutorial)bnels21-2:tutorial bnels21$ ssh -v localhost
OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file /Users/bnels21/.ssh/id_rsa type 1
debug1: identity file /Users/bnels21/.ssh/id_rsa-cert type -1
debug1: identity file /Users/bnels21/.ssh/id_dsa type -1
debug1: identity file /Users/bnels21/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9
debug1: match: OpenSSH_5.9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 1c:31:0e:56:93:45:dc:f0:77:6c:bd:90:27:3b:c6:43
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /Users/bnels21/.ssh/known_hosts:11
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/bnels21/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering RSA public key: id_rsa3
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /Users/bnels21/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
Any suggestions? I'm running OSX 10.8.
Since you seem to have multiple keys I would assign the specific key to a specific connection in ~/.ssh/config.
Example:
Host local
HostName 127.0.0.1
Port 22
User your_username
IdentityFile ~/.ssh/your_key-id_rsa
Then just try to ssh local.
I had same problem. I checked the system passwd and group files, and discovered that my user and group was not present. To build this files (my user was a domain user) I need to run two commands at cygwin shell:
mkpasswd -l -d > /etc/passwd
mkgroup -l -d > /etc/group
After that, ssh works fine!
Elvys Borges
It looks like you are using protocol version 2.0 when connecting to localhost, so try moving authorized_keys to authorized_keys2.
Source: this post explains the difference between the two keys files.
I was at my wits end... I was under the mistaken impression ssh-copy-id was a Linux-only utility. Finally I just swallowed my pride and typed the command is the macOS Terminal and it worked!
ssh-copy-id me#sshd-server
I don't know what magic ssh-copy-id does, but it just worked. I was able to log in without a password successfully with the simple command:
ssh me#sshd-server
I had zero luck with cat id_rsa.pub >> ~/.ssh/authorized_hosts. Every time I tried ssh'ing to the server it just kept asking me for the passphrase. This is with the correct 600 permission on authorized_hosts and 700 on ~/.ssh.

Trying to get jenkins and gitolite to work successfully - Permission denied (publickey,password)

I have been trying for days to get my gitolite work with jenkins so I can have repos hosted from server and working with Jenkins (they are on the same sever).
I have gitolite working but I guess I have problems with ssh.
I got some help on a chat and added private key to jenkins/.ssh.
I have a user "git" that hosts the gitolite, and I got a user "gitolite" and a "jenkins" user. I can clone a repo by using git clone git#e-ject.se:Matrix
But I can't use it in jenkins. I get this when I try to build.
Checkout:workspace / /var/lib/jenkins/jobs/Matrix/workspace -
hudson.remoting.LocalChannel#dbb335
Using strategy: Default
Checkout:workspace / /var/lib/jenkins/jobs/Matrix/workspace -
hudson.remoting.LocalChannel#dbb335
Cloning the remote Git repository
Cloning repository origin
ERROR: Error cloning remote repo 'origin' : Could not clone git#e-ject.se:Matrix
ERROR: Cause: Error performing command: git clone --progress -o origin git#e-ject.se:Matrix /var/lib/jenkins/jobs/Matrix/workspace
Command "git clone --progress -o origin git#e-ject.se:Matrix
/var/lib/jenkins/jobs/Matrix/workspace" returned status code 128: Cloning into /var/lib/jenkins/jobs/Matrix/workspace...
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
fatal: The remote end hung up unexpectedly
Trying next repository
ERROR: Could not clone repository
FATAL: Could not clone
hudson.plugins.git.GitException: Could not clone
at hudson.plugins.git.GitSCM$2.invoke(GitSCM.java:1042)
at hudson.plugins.git.GitSCM$2.invoke(GitSCM.java:968)
at hudson.FilePath.act(FilePath.java:758)
at hudson.FilePath.act(FilePath.java:740)
at hudson.plugins.git.GitSCM.checkout(GitSCM.java:968)
at hudson.model.AbstractProject.checkout(AbstractProject.java:1193)
at hudson.model.AbstractBuild$AbstractRunner.checkout(AbstractBuild.java:566)
at hudson.model.AbstractBuild$AbstractRunner.run(AbstractBuild.java:454)
at hudson.model.Run.run(Run.java:1376)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:46)
at hudson.model.ResourceController.execute(ResourceController.java:88)
at hudson.model.Executor.run(Executor.java:230)
I login to my server and su - jenkins, then type "ssh -v git#server" I get this.
git#Server:~$ sudo su - jenkins
jenkins#Server:~$ ssh -v git#server
OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to server [127.0.1.1] port 22.
debug1: Connection established.
debug1: identity file /var/lib/jenkins/.ssh/id_rsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_rsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1 Debian-1ubuntu3
debug1: match: OpenSSH_5.8p1 Debian-1ubuntu3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA f3:ab:a6:55:83:98:c5:4f:85:c6:70:be:2f:40:1f:65
debug1: Host 'server' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/jenkins/.ssh/known_hosts:3
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /var/lib/jenkins/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /var/lib/jenkins/.ssh/id_dsa
debug1: Trying private key: /var/lib/jenkins/.ssh/id_ecdsa
debug1: Next authentication method: password
git#server's password:
It still asks for password...
Anyone who have done this? Getting gitolite working with jenkins?
I'm very grateful for any help and can gladly donate 10 bucks (visa card) for helping me set this up!
SSH into the Jenkins box and create an SSH key pair for the Jenkins user (assuming jenkins here):
local$ ssh jenkins-box
you#jenkins-box$ sudo su jenkins
jenkins#jenkins-box$ ssh-keygen
jenkins#jenkins-box$ cat $HOME/.ssh/id_rsa.pub
Copy the SSH public key you see on the screen and paste it into the new file keydir/jenkins.pub inside your local gitolite admin repository.
Add the following lines to conf/gitolite.conf to give Jenkins permissions to clone and pull all repositories:
repo #all
R = jenkins
Commit and push the gitolite admin repository. Jenkins should now work correctly.