# incorrect passphrase supplied to decrypt private key



## fastbikkel (Dec 28, 2018)

Dear readers,

I have already searched quite a lot for a possible answer on this, but it looks like I'm either looking in the wrong direction, or I have something that is not so common.

After trying to improve my SSL security, on each boot I get a list of errors in the order of this:

```
Error loading host key "/etc/ssh/ssh_host_ed25519_key" : incorrect passphrase supplied to decrypt private key.
Could not load host key: /etc/ssh/ssh_host_ed25519_key
```

This all started after i ran these commands, in this order :

```
rm /etc/ssh/ssh_host_*key*

ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key < /dev/null          # i add a complex passphrase when requested.
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key < /dev/null               # i add a complex passphrase when requested.

ssh-keygen -G /etc/ssh/moduli.all -b 4096
ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all
mv /etc/ssh/moduli.safe /etc/ssh/moduli
rm /etc/ssh/moduli.all
```

Now when I connect with Putty, I do get a new SSL certif notifier and I can connect perfectly.
I do not receive errors on boot if I do the above commands without passphrase.
But I do want the passphrases because apparently it enhances my security by encrypting my private keys.
However, I am at a loss why it mentions an incorrect passphrase when I can run the commands (with passphrase) without issues.


----------



## SirDice (Dec 28, 2018)

SSL and SSH have nothing to do with each other. Both use certificates, yes, but use them in different ways. Your issue has nothing to do with SSL.

Don't put a password on the host keys. If you want to improve your security set a password on your user's private key.

In order to fix this mess, remove the incorrect host keys (those /etc/ssh/ssh_host_*_key files) and (re)start the sshd(8) service. Proper host keys will be automatically generated if they're missing.


----------



## fastbikkel (Dec 28, 2018)

Hi SirDice,

thanks for the quick reply, i appreciate that.

I am sorry for the confusion about ssh/ssl, i see what you mean.

In response to your suggestion on the action to take...
I have done rm /etc/ssh/ssh_host_*key* and restarted sshd with service sshd restart, but now it tells me :

```
Performing sanity check on sshd configuration.
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Could not load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
```

I possibly did a wrong restart.

Could I get the same if I just regenerate them without a passphrase?


----------



## SirDice (Dec 28, 2018)

If you look at the actual service script; /etc/rc.d/sshd and specifically the precmd routines, you'll see they should be created automatically if they don't exist. But now I'm starting to doubt when this actually gets executed. Try fully stopping, then starting the service; `service sshd stop && service sshd start`. A restart might be treated a little differently. 

If all else fails, yes, you can also (re)create them by hand. Just look at the rc(8) script for exact ssh-keygen(1) options and filenames you need to use.


----------



## fastbikkel (Dec 28, 2018)

Thanks SirDice, 

I will look at the full stop/start.
Very interesting stuff.

This is all part of me trying to improve security for a server that I want to put out there on the internet.
I am taking my sweet time in trying to shut as many doors as possible before I put it online.


----------



## SirDice (Dec 28, 2018)

fastbikkel said:


> This is all part of me trying to improve security for a server that I want to put out there on the internet.


With regards to ssh and other services, also take a look at blacklistd(8), security/sshguard and/or security/py-fail2ban. 



fastbikkel said:


> I am taking my sweet time in trying to shut as many doors as possible before I put it online.


Take as much time as you need. But remember the very second you put that server online it's going to get hit by bots rattling on your doors. That's an unfortunate reality nowadays. So the best "defense" is to not enable services if you don't need or use them. They can't break into something if it's not available.


----------



## VladiBG (Dec 28, 2018)

Your host  private key is locked using passphrase and when the ssh try to read it can't unlock it. You can unlock it manually and then point ssh to use the unlocked private key using the following command:

`openssl rsa -in privatekey.key -out unlocked_privatekey.key`

Or when you generate the key at the first time do not specify the passphrase.

When you create a USER certificate/key THEN use the passphrase it's located under ~/.ssh/

mini howto:

1. Login on the server using the User which is member of the wheel group.

2. Generate the user public/private rsa key pair and provide a passphrase for the key
`% ssh-keygen -t rsa`
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter the passphrase

3. Authorize the public key
`% cat /home/user/.ssh/id_rsa.pub >> /home/user/.ssh/authorized_keys`

4. Copy the private key from the host to your windows OS computer
`cmd`
`cd %userprofile%\Documents`
`scp user@domain:.ssh/id_rsa .`

5. If you are using PuTTy convert the private key to the format that PuTTy uses.
`start C:\Program Files\PuTTY\puttygen.exe`
load an existing private key file from %userprofile%\Documents\id_rsa _select All Files (*.*) to view all files_
Save private key %userprofile%\Documents\username.ppk

6. On the host edit /etc/ssh/sshd_config
`ChallengeResponseAuthentication no`

7. Restart the sshd service
`# service sshd restart`

8. From your client machine start PuTTy
Enter Hostname/IP address of the server then under _Connection->SSH->Auth_ select Browse and point to your %userprofile%\Documents\username.ppk key

9. If you are using Windows SSH client

Disable Inheritance of the id_rsa file and Remove all inherited permissions from the object. Then grant your Username Full Control of the file.
`icacls id_rsa /inheritance:r /grant %username%:F`

After that use
`ssh user@domain -i id_rsa`


----------



## fastbikkel (Dec 31, 2018)

Thanks a lot guys, i appreciate this.
I am looking into the answers and applying them as much as i can.


----------



## fastbikkel (Dec 31, 2018)

VladiBG said:


> 5. If you are using PuTTy convert the private key to the format that PuTTy uses.
> `start C:\Program Files\PuTTY\puttygen.exe`
> load an existing private key file from %userprofile%\Documents\id_rsa _select All Files (*.*) to view all file_
> Save private key %userprofile%\Documents\username.ppk


I reach this point.
I'm now looking for a solution on the internet for this. When i do these actions, upon opening my key file, puttygen tells me : couldn't load private key (unrecognised cipher name)
The first solutions i have seen is to remove the passphrase, but that goes against what im trying to do here. Because i have a passphrase with reason.
I confirmed im actually trying to load the private key, not the pub key.

Apparently it's not the number of bits that is blocking me (4096bit).
There are some suggestions on sites, but they are different from what im trying to achieve.

The search goes on.


----------



## SirDice (Dec 31, 2018)

Don't generate the private key on FreeBSD if you want to use it with PuTTY. Just use PuTTYgen to generate one and save it. Copy/paste the contents from the PuTTYgen screen (the part below "Public key for pasting into OpenSSH authorized_keys file") to the receiving host and your ~/.ssh/authotized_keys (this file can contain more than one key, you can have as many as you want). 

The "receiving" end of the connection doesn't need to have your private key.


----------



## SirDice (Dec 31, 2018)

Useful on Windows, drag 'n drop PuTTY's Pageant into your "Startup" folder. Edit the shotcut and at the Target add the location of your key. This will make Pageant start when you login and automatically load your key. Within PuTTY make sure Connection -> SSH -> Auth -> Allow agent forwarding is enabled.

Copy/paste that public key to your ~/.ssh/authorized_keys on every server you want/need to login. The SSH agent forwarding will take care of the rest.


----------



## VladiBG (Dec 31, 2018)

fastbikkel said:


> When i do these actions, upon opening my key file, puttygen tells me : couldn't load private key (unrecognised cipher name)


Hod did you generate your id_rsa and id_rsa.pub? Did you use `ssh-keygen -t rsa`

edit:
 PuTTYgen Release 0.70 and FreeBSD 11.2-RELEASE-p7 work fine with 2048 and 4096


----------



## SirDice (Dec 31, 2018)

Again, don't generate the key on FreeBSD if you're going to use it with Putty. There's no reason to generate it on FreeBSD first only to convert it for use with PuTTY, that makes it unnecessarily complex. Generate the key with PuTTYgen and be done.


----------

