# always being asked for password for ssh even when I only have key authorization enabled.



## clawhammer (Mar 30, 2018)

```
#       $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
#       $FreeBSD: head/crypto/openssh/sshd_config 322052 2017-08-04 12:57:24Z de
s $
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,curve25519-sha256@libssh.org
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,h
mac-sha2-256

#RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none
/etc/ssh/sshd_config: unmodified, readonly: line 1
penBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
#       $FreeBSD: head/crypto/openssh/sshd_config 322052 2017-08-04 12:57:24Z de
s $
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,curve25519-sha256@libssh.org
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,h
mac-sha2-256

#RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
MaxAuthTries 3
MaxSessions 2



# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none
```

I generated a key with putty and put the public key in my users home directory /.ssh/authorized_keys. I never get anything about my key being used and it always asks me for a password. What am I doing wrong?


----------



## ljboiler (Mar 31, 2018)

Shouldn't authorized_keys only contain _public_ keys?


----------



## clawhammer (Mar 31, 2018)

ljboiler said:


> Shouldn't authorized_keys only contain _public_ keys?


fixed my typo, thanks.


----------



## phoenix (Mar 31, 2018)

Add *-v* or even multiple v to your ssh command to see what is doing and whether or not it even passes the key through.

Also check /var/log/messages and /var/log/daemon and /var/log/auth on the server for more information on what it's doing.


----------



## rigoletto@ (Mar 31, 2018)

You probably are not running and/or adding the key to ssh-agent (keyring). So, everytime you need to access something using your key you need to provide the *key* password.

EDIT: also, just in case, stuff in ~/.ssh should have permissions set to 600.


----------



## clawhammer (Mar 31, 2018)

When I was using putty outside of my network it asks for a password. When I use my osx which does not have the private key I have on my outside windows system that I generated the rsa key on and put it on my home directory on the remote server. on my local lan osx says


```
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:qtxehZzGrSioLapWo2WJELYk285b5Rc84wWNzO+Ye8M.
Please contact your system administrator.
Add correct host key in /Users/*****/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/*****/.ssh/known_hosts:1
RSA host key for ***.***.*.* has changed and you have requested strict checking.
Host key verification failed.
```


----------



## ShelLuser (Mar 31, 2018)

Did you also add the key to your PuTTY session? So: Connection => SSH => Auth.  There is a section where you can point PuTTY to your private key.

(edit): once you added one be sure to save your session!


----------



## clawhammer (Apr 1, 2018)

ShelLuser said:


> Did you also add the key to your PuTTY session? So: Connection => SSH => Auth.  There is a section where you can point PuTTY to your private key.
> 
> (edit): once you added one be sure to save your session!


I was trying to see that. I know I didnt do it myself. I only generated the keys with puttygen and saved them on the system. I was looking in Auth but I guess I missed the option to where I could point the program to my key.

Is it weird that it would let me log in with a password if I didnt have my key pointed to? Would the freebsd ssh program use a host priv and pub key to authenticate my first log in and not display it after that? I think I read that ssh automatically creates the priv and pub keys?


----------



## ShelLuser (Apr 1, 2018)

clawhammer said:


> Is it weird that it would let me log in with a password if I didnt have my key pointed to?


Not at all. You see, SSH checks the authentication methods in sequence and only if it runs out will it deny you access.

Just try running `ssh -v localhost`:


```
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/peter/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/peter/.ssh/id_dsa
debug1: Trying private key: /home/peter/.ssh/id_ecdsa
debug1: Trying private key: /home/peter/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
```
Notice how it mentions "_next authentication method_" and "_no more authentication methods to try_"?

I'd suggest checking /etc/ssh/sshd_config some more, maybe you left options such as PasswordAuthentication and/or UsePAM enabled?  That could explain a thing or two. Oh, don't forget about ChallengeResponseAuthentication either. 



clawhammer said:


> Would the freebsd ssh program use a host priv and pub key to authenticate my first log in and not display it after that? I think I read that ssh automatically creates the priv and pub keys?


Nah. When you run SSH for the first time (as client) then it will generate some data but no keys. For that to work you'd need ssh-keygen. When you start the SSH daemon for the first time then it will generate several keys (host keys, see /etc/ssh) but those aren't used for authentication purposes. See also sshd_config(5):


```
HostbasedAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication
             together with successful public key client host authentication is
             allowed (host-based authentication).  The default is ``no''.
```


----------

