In an attempt to harden the security of my servers, I'm taking my first steps in implementing key-based SSH logins. However, the following confused me:
After setting up my public and private key, ssh-keygen opted me to secure the private key with a password. Following my own strict password policy, I let my password manager create a strong, lenghty password (which I don't want or need to remember) and copy-pasted it into the terminal (using CTRL+SHIFT+V to paste). All well.
Then I transfered my public key to one of my servers (ProxMox running on Debian) with ssh-copy-id. Worked like a charm:
$ ssh-copy-id admin@server
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 2 key(s) remain to be installed -- if you are prompted now it is to install the new keys
admin@server's password:
Number of key(s) added: 2
Now try logging into the machine, with: "ssh 'admin@server'"
and check to make sure that only the key(s) you wanted were added.
Here's when my confusion starts:
- I type the command exactly as shown above -
ssh 'admin@server' - A full screen popup appears, telling me to "Enter password to unlock private key"
- There's no way for me to switch to my password manager (fancy Ubuntu 20.04 fullscreen popups, yay...)
- I hit 'Cancel' since I have no way to copy-paste the required password from my password manager
- ...and next thing I know I'm logged in as admin@server.
How is this possible? I expected an 'access denied', 'unable to login' or 'unable to access private key', since the private key was never unlocked. But none of that - I'm just logged in. The only thing I see right after I'm logged in is this:
sign_and_send_pubkey: signing failed for RSA "/home/user/.ssh/id_rsa" from agent: agent refused operation
But after that, I can do whatever I want on the server. So... Is this how things are supposed to work? What's the point of putting a password on your private key, if it's ignored anyway? Sounds to me something is seriously broken, or am I missing something?
(P.S. - The 'sign_and_send_pubkey' message disappeared after unlocking the private key properly, but still I think I should not have been granted access to the server before the private key was unlocked, right?)
Judging by the output of
ssh-copy-id, it appears that you have two private/public keypairs on your local machine. I'm guessing that one is protected by a passphrase and the other isn't. You were prompted for the passphrase for one of them but, due to cancelling the prompt, it was not decrypted. It then used the plaintext key for authentication and worked.If you look in your
~/.sshdirectory, how many files look likeid_SOMETHINGwithout the.pubextension? I'm guessing you have two and if you performhead -n 1 /path/to/private_keyone will say encrypted and the other will not.