Ssh config question

plrpilot · June 9, 2020, 4:36am

I’m very new to ssh management.

I changed and updated my ssh keys and ran into an issue that I can’t figure out.

I’ve used ssh-copy-id to get my ssh keys to the remote machine.

If I ssh -i, they keys work.

If is ssh user@host, I’m prompted for a password.

using ssh -v,

I’m seeing ssh supposedly look at my .ssh/config file, then default to the * config.
ssh then tries a bunch of identities that are not even on my machine (id_rsa, id_dsa, id_ecdsa, id_ed25519, id_xmss)
none of these keys exist, so I’m not sure where it gets them.

A few additional notes:

My ./ssh directory only has 4 ssh keys. Since ssh will automatically try the first 5, even if it defaulted to the * config, I would expect the connection to be established with a trusted key.
For grins, I went ahead and manually configured the host in the config file. It’s still not recognizing it.
Host server
HostName 10.10.1.2
User root
IdentityFile ~/.ssh/id.pem

But typing:
ssh root@10.10.1.2

gets the following result:

Summary

OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/uid/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to 10.10.1.2 [10.10.1.2] port 22.
debug1: Connection established.
debug1: identity file /Users/uid/.ssh/id_rsa type -1
debug1: identity file /Users/uid/.ssh/id_rsa-cert type -1
debug1: identity file /Users/uid/.ssh/id_dsa type -1
debug1: identity file /Users/uid/.ssh/id_dsa-cert type -1
debug1: identity file /Users/uid/.ssh/id_ecdsa type -1
debug1: identity file /Users/uid/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/uid/.ssh/id_ed25519 type -1
debug1: identity file /Users/uid/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/uid/.ssh/id_xmss type -1
debug1: identity file /Users/uid/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 10.10.1.2:22 as ‘root’
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256: (removed_hidden)
debug1: Host ‘10.10.1.2’ is known and matches the ECDSA host key.
debug1: Found key in /Users/uid/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /Users/uid/.ssh/id_rsa
debug1: Will attempt key: /Users/uid/.ssh/id_dsa
debug1: Will attempt key: /Users/uid/.ssh/id_ecdsa
debug1: Will attempt key: /Users/uid/.ssh/id_ed25519
debug1: Will attempt key: /Users/uid/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/uid/.ssh/id_rsa
debug1: Trying private key: /Users/uid/.ssh/id_dsa
debug1: Trying private key: /Users/uid/.ssh/id_ecdsa
debug1: Trying private key: /Users/uid/.ssh/id_ed25519
debug1: Trying private key: /Users/uid/.ssh/id_xmss
debug1: Next authentication method: password
root@10.10.1.2’s password:

I know I’m missing something simple, but I can’t figure it out. Help is appreciated.

LTS_Tom · June 9, 2020, 9:40am

I have never had that issue before, but maybe this would help.

plrpilot · June 9, 2020, 10:21pm

Yeah – I’ve read through most of the man pages on ssh, ssh agent and config.

I’m not trying to keep my identities in any location other than the standard /Users/homedir/.ssh directory.

I’m also using a Mac. I’m not sure if this is causing me any grief, but it’s worked fine in the past. Looking at the logs, it would appear that it’s looking in the right places, but it’s not “seeing” my config or the identities configured in that directory. I’ve rebooted the machine and am currently out of ideas. The most baffling thing is that if I use the ssh -i option, it works. I could create an alias, but that just feels like a cop-out. I’m determined to get it working properly.

plrpilot · June 9, 2020, 11:17pm

OK – evidently, on a Mac, you have to do an extra step that I don’t recall having to do on other linux distros with a proper config file.

I had to run ssh-add -K .ssh/keyfile for each key I wanted.

It still feels like I’m not understanding something here, but it’s at least working.

Thedannymullen · June 10, 2020, 1:03am

I dont think I had to do this on my Mac. All I did was copy the key to my .ssh folder.

I have to verify tomorrow you have me curious.

kevdog · June 10, 2020, 2:11am

I have a MBP and I don’t ever remember doing the ssh-add key command. I’m using iterm2 if that matters as the client.

plrpilot · June 10, 2020, 2:39am

Yeah, I’m using iTerm as well. I really thought the only advantage to the ssh-add was if you wanted to save the ssh key passphrase in the keychain, which I really don’t care anything about. I didn’t uninstall/re-install ssh, but I guess I could. It completely ignored my .ssh config file and the keys stored there. If you look at the verbose output in my original post, you’ll see that it never even acknowledged the keys there.

I’m also curious to see if anyone else on a mac runs ssh -v, does it attempt to use the generic id_rsa, id_dsa id’s? Those ids listed are not even on my computer and never have been.

kevdog · June 10, 2020, 2:53am

I think your config file is messed up. My first line is:

# ssh -v archzfsproxy                                          
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/kevdog/.ssh/config

plrpilot · June 10, 2020, 3:43am

Thanks for running that for me. I’ll re-install SSH tomorrow and see if I can get it to work on a standard config file.

plrpilot · June 11, 2020, 1:18am

Well, a little more digging on this one, and I’m confused. The only thing I’ve verified is that it is reading my config file, and there is probably some typo that is biting me in the rear.

If I change my .ssh/config file to this (the forum is deleting the tabs, but they are in there):

Host *
IdentityFile /Users/<userid>/.ssh/<key>.pem

and ssh to my host, 10.10.1.2, everything works as desired.

However, if I change my .ssh/config file to this:

Host server
HostName 10.10.1.2
IdentityFile /Users/<userid>/.ssh/<key>.pem

ssh looks at the file, does not find a match and then starts using the defaults – none of which exist on my machine, which then causes the server to default to asking for a password.

Any ideas?

kevdog · June 11, 2020, 3:41am

Its Hostname and not HostName

plrpilot · June 11, 2020, 3:52am

Nope…HostName is the proper term.

https://www.ssh.com/ssh/config/

I tried Hostname just for grins, as well as hostname. Both failed.

I’m sure my mistake is something silly like that, but I can’t find it for the life of me.

plrpilot · June 11, 2020, 5:40pm

Just a follow up here. I completely deleted the file and recreated it, and everything is working. The only thing I can think of is that there is some weird non-printable character in there that was causing the matching of hosts to fail. Maybe this will help someone in the future. Thanks to everyone who gave suggestions!