Brief
I attempted to generate a SSH key for my Github on a Macbook Pro. Yet I encountered the 'Enter PIN for authenticator' issue when I progressed to the step of adding it to the ssh-agent. The bizarre asking is from the following command:
$ ssh-add -K ~/.ssh/id_rsa
Enter PIN for authenticator:
which I totally have no idea what I should type into for this asking. Yet as I typed with the following command, everything just worked as this page revealed.
$ /usr/bin/ssh-add -K ~/.ssh/id_rsa
Identity added: /Users/${user_name}/.ssh/id_rsa (your_email#example.com)
Why there exists this kind of difference ? What exactly you need to type for the asking of 'Enter PIN for authenticator:' ?
Some Info
version information
$ ssh -V
OpenSSH_8.3p1, OpenSSL 1.1.1g 21 Apr 2020
$ sw_vers -productVersion
10.15.6
I generated the key with the ed25519 algorithm.
If you use this command
$ ssh-add -K ~/.ssh/id_rsa
you will be asked to enter the PIN for authentication
so instead of that use
$ ssh-add ~/.ssh/id_rsa
You have a second (Brew-installed?) ssh-add in your shell's $PATH which is not the same as the Apple version. In the Apple version -K stores the password in your keychain, so you don't have to type it every time. In the non-Apple version -K "Loads resident keys from a FIDO authenticator."
The ssh-add at:
/usr/bin/ssh-add
is the Apple provided one, and will work with -K.
Update for macOS Monterey (v12)
The -K and -A flags are deprecated and have been replaced by the --apple-use-keychain and --apple-load-keychain flags, respectively.
I have seen on - https://www.ssh.com/academy/ssh/add and found that if we use -'k' (small k) then it is asking about passpharase what I added during ssh key generaion.
for instance my passphrase while creating ssh key was - Pass#123#
after that when i exeute command -
$ssh-add -k ~/.ssh/id_rsa
Enter passphrase for ~/.ssh/id_rsa: (typed here - Pass#123# and press enter)
Identity added: ~/.ssh/id_rsa (xxxxxxx#xxxx.com)
as specified by the man ssh-add page, the -K option is:
-K Load resident keys from a FIDO authenticator.
so you basically tell it to use an authenticator.
What can I solve this problem?
when I wanted to connect my personal GitLab account, I got an error message like the following picture
### shell script
git clone git#gitlab.com:<username>/test1.git
GitLab server-side
Clone ssh address
PS: I have checked and found some reference from StackOverflow but unfortunately it isn't okay for me
1.git clone through ssh
2.SSH and Git Clone
3.git clone with ssh issue
I have found a great reference but sorry for Mandarin website, however, I can use my way to share how to deal with this issue.
Step 1:
ls -al ~/.ssh
Step 2:
ssh-keygen
(using enter key for default value)
Step 3: To setup config file
vim /c/Users/Willie/.ssh/config
Host gitlab.com
HostName gitlab.com
User git
IdentityFile ~/.ssh/id_rsa
Step 4:
git clone git#gitlab.com:<username>/test2.git
Step 5:
When you finished Step 4
1.the test2.git file will be download done
2.you will get the new file(known_hosts) in the ~/.ssh
PS: I create the id_rsa and id_rsa.ub by myself and I deliver it to the Gitlab server. using both keys to any client-sides(windows and Linux).
Check first if you do have a ~/.ssh/id_rsa private key/~/.ssh/id_rsa.pub public key.
If so, check your private key: if it has 70 chars per line, try and regenerate with the old PEM format:
ssh-keygen -m PEM -t rsa -P "" -f ~/.ssh/id_rsa
(That will override your current key, but if said current key is not working anyway, that should be OK).
Update the public key on GitLab side, and try again, with a simple:
ssh -T git#gitlab.com
Using a config file means not using the user and using a shorter name:
Host gitlab
HostName gitlab.com
User git
IdentityFile ~/.ssh/id_rsa
means: ssh -T gitlab or git clone gitlab:<username>/test2.git will work.
ssh localhost
ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
i followed all above steps in my teminal for disable the password to start the hadoop services ($start-all.sh) but it is still asking for password please anyone help me to disable password..
Please refer the below link to setup password less ssh it has a best example to get more clarity on ssh setup
https://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/
Hope this Helps!!!..
I had a world of problems with permissions and the .ssh directory.
I think the permissions had to be 600 too but I can't remember exactly.
Good luck
If you are doing a multi-node setup, all the nodes must be able to communicate with one another without password. On each node, you generate SSH keys. For example using this command :
ssh-keygen -t rsa -b 4096 -C someemail#.example.com
Then you replicate the keys to all the nodes :
ssh-copy-id hadoop#master
ssh-copy-id hadoop#slave-01
ssh-copy-id hadoop#slave-02
etc.
This needs to be done on each node (every node should have all the keys).
Hope this help !
It worked for me.
Use ssh-keygen on local server to generate public and private keys.
$ssh-keygenEnter passphrase (empty for no passphrase):
Enter same passphrase again:
the ssh-copy-id copies public key to the remote host
ssh-copy-id copies public key to remote host
Use ssh-copy-id, to copy the public key to the remote host
ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.200.10
Perform rsync/SCP over ssh without password**
Now, you should be able to ssh to the remote host without entering the password.
ssh 192.168.200.10
Perform the rsync again, it should not ask you to enter any password this time
rsync -avz -e ssh /home/Sangita/ sangita#192.168.200.10:/backup/Sangita/
or
scp /home/Sangita/ sangita#192.168.200.10:/backup/Sangita
I've followed the following guide to setup SSH keys on Mac OS 10.7.4.
https://help.github.com/articles/generating-ssh-keys
But for some reason it continually prompts me for my passphrase. It doesn't prompt me if I don't specify a passphrase, but that isn't desired. Is there a way to cache my passphrase so that I won't be prompted for every pull/push?
You have to add your key file in the ssh-add
ssh-add ~/.ssh/you_key_rsa
After that, it's not will ask any more.
You might need to edit the .git/config file in your git repo and change the url value to use something like user#host:path-to-git-repo.git
The SSH password is used to authenticate users connecting to GIT repositories.
If you're working localy, git shouldn't ask for passwords, obly when doing remote operation, such as clone, push, pull,etc.
If the password annoys you, you can just input a blank password when creating the SSH key, password is not mandatory, however I advise you to use password for extra protection.
I am using Windows 10, and I have found two ways to eliminate the passphrase prompting.
Make sure the ssh agent is started and you have added your key
$ eval "$(ssh-agent -s)"
$ ssh-add ~/.ssh/id_rsa
The second command will prompt you for your passphrase, and then you will not be prompted for any other git commands run in this session.
You will need to run these commands again for every new bash session
Remove the passphrase from you key file:
$ ssh-keygen -p -f ~/.ssh/id_rsa
When prompted, just strike enter key for the new passphrase.
Option 2 will permanently remove the passphrase for all git commands. Of course it also makes you key file "unsecured"
Note: If you are using git desktop GUI ( Version 1.04+) Option 2 is required for the GUI to work.
I am new to EC2. I created my security credentials from this site:
http://paulstamatiou.com/how-to-getting-started-with-amazon-ec2
It worked great, I rebooted and now when I try to connect I get a login/password prompt. (Which I never set up.) After several attempts I get this error:
Permission denied (publickey,gssapi-with-mic).
What am I doing wrong?
Two possibilities I can think of, although they are both mentioned in the link you referenced:
You're not specifying the correct SSH keypair file or user name in the ssh command you're using to log into the server:
ssh -i [full path to keypair file] root#[EC2 instance hostname or IP address]
You don't have the correct permissions on the keypair file; you should use
chmod 600 [keypair file]
to ensure that only you can read or write the file.
Try using the -v option with ssh to get more info on where exactly it's failing, and post back here if you''d like more help.
[Update]: OK, so this is what you should have seen if everything was set up properly:
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: ec2-keypair
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Are you running the ssh command from the directory containing the ec2-keypair file ? If so, try specifying -i ./ec2-keypair just to eliminate path problems. Also check "ls -l [full path to ec2-keypair]" file and make sure the permissions are 600 (displayed as rw-------). If none of that works, I'd suspect the contents of the keypair file, so try recreating it using the steps in your link.
The key for me to be able to connect was to use the "ec2-user" user rather than root. I.e.:
ssh -i [full path to keypair file] ec2-user#[EC2 instance hostname or IP address]
+1
I noticed that for some AMIs like Amazon Linux, ec2-user#xxx.XX.XX.XXX would work. But for an ubuntu image, I had to use ubuntu# instead. It was never a problem with the .pem, just with the user name.
In my case it's because the permission for my home directory is 775, and SSH is not happy about it. It should work after executing:
server$ chmod go-w ~/
server$ chmod 700 ~/.ssh
server$ chmod 600 ~/.ssh/authorized_keys
I had very similar experience this afternoon. I was setting up django on EC2, and suddenly I cannot SSH into the box anymore. Glad I still had an active connection, so I modified /etc/ssh/sshd_config to set:
PasswordAuthentication yes
and set password for ec2-user, then I can login by entering the password.
However, after some googling I found this thread: http://ubuntuforums.org/showthread.php?t=577279. It turned out that during my setup of django I changed the permission for my home directory, and SSH is very strict about this. So the file permission must be set correctly.
I had met this problem too.And I found that happend beacuse I forgot to add the user-name before the host name:
like this:
ssh -i test.pem ec2-32-122-42-91.us-west-2.compute.amazonaws.com
and I add the user name:
ssh -i test.pem ec2-user#ec2-32-122-42-91.us-west-2.compute.amazonaws.com
it works!
Tagging on to mecca831's answer:
ssh -v -i generated-key.pem ec2-user#11.11.11.11
[ec2-user#ip-11.11.11.11 ~]$ sudo passwd ec2-user
newpassword
newpassword
[ec2-user#ip-11.11.11.11 ~]$ sudo vi /etc/ssh/sshd_config
Modify the file as follows:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
# EC2 uses keys for remote access
#PasswordAuthentication no
Save
[ec2-user#ip-11.11.11.11 ~]$ sudo service sshd stop
[ec2-user#ip-11.11.11.11 ~]$ sudo service sshd start
you should be able to exit and ssh in as follows:
ssh ec2-user#11.11.11.11
and be prompted for password no longer needing the key.
Are you sure you have used the right instance? I ran into this problem and realized that something like 4 of the ubuntu instances i tried did not have SSH servers installed on them.
For a list of good servers see "Getting the images" about half way down. Sounds like you may be using something else... the default username is ubuntu on these images.
https://help.ubuntu.com/community/EC2StartersGuide
I was able to login using ec2-user
ssh -i [full path to keypair file] ec2-user#[EC2 instance hostname or IP address]
After about a half hour of searching and trying to debug this I was able to figure it out. My situation involved me using the same pem file for two different ec2 instance and it working for one and not the other.
My first instance it worked on was the standard aws linux ami amzn-ami-hvm-2014.03.2.x86_64-ebs. I simply used
ssh -i mypemfile.pem ec2-user#myec2ipaddress
and it worked.
I then launched a fedora instance Fedora-x86_64-19-20140407-sda and tried the same command but kept getting:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
After changing my username from ec2-user to fedora it worked!
ssh -i mypemfile.pem fedora#myec2address
None of the above helped me, but futzing with the user seemed like it had promise. For my config using 'ubuntu' was right.....
ssh -i [full path to keypair file] ubuntu#[EC2 instance hostname or IP address]
I recommend against setting a password as some other answers suggest. Using the key file is both safer (no one can guess your passwords) and more convenient (once you set up a config file). Here's a basic ~/.ssh/config:
Host my-ec2-server
HostName 11.11.11.11
User ec2-user
IdentityFile /path/to/generated-key.pem
Now you can just type ssh my-ec2-server and you're in! And as also mentioned in other answers, use -v to get extra info when your connection isn't working.
If the issue is consistent and happened about 10-15 times in a row even after changing file permissions to 400 or 600, then it is most certainly something is wrong on the ec2 instance, so to make sure:
Check the logs when you try to ssh to the instance by adding -v at the end and see either it gives out anything specific.
Make sure you use the correct name for ssh, like Ubuntu. Perhaps that depends on Linux distribution and users you added and either you've given permission for "root user" ssh.
Then if nothing helps, follow the documentation here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesConnectingMindTerm
to fix that. It helped in my case, and it happened because of messed up directories/files permissions.
If you have a PPK file working on a PC, then export it as OpenSSH file using puttygen.exe for PC and use that on Mac (any Unix machine).
I was getting the same error --
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: ec2-keypair
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic)
As I was using a PPK file on Windows, I followed the steps as described above and Bingo!
$ ssh -i ec2-openssh-key root#ec2-instance-ip
I had the same problem using the AWS Toolkit for Eclipse. I created the Getting Started instance OK and opened a shell. However, the user was set to ec2-user. I used the Open Shell As... command and set the user to root. Then it worked.
Had a similar issue. Here are the steps used to setup SSH keys and forwarding on the Mac. Made these notes for myself - may help someone... check against your config.
The assumption here is there are no keys setup. If you already have the keys setup skip this section.
$ ssh‐keygen ‐t rsa ‐b 4096
Generating public/private rsa key pair.
Enter a file in which to save the key (/Users/you/.ssh/id_rsa): [Press enter]
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type passphrase again]
Modify ~/.ssh/config adding the entry for the key file:
~/.ssh/config should look similar to:
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
Store the private key in the keychain:
$ ssh‐add ‐K ~/.ssh/id_rsa
Go test it now with: ssh -A username#yourhostname
Should forward your key to yourhostname. Assuming your keys are added on you should connect without issue.
I was getting this error when I was trying to ssh into an ec2 instance on the private subnet from the bastion, to fix this issue, you've to run (ssh-add -K) as follow.
Step 1: run "chmod 400 myEC2Key.pem"
Step 2: run "ssh-add -K ./myEC2Key.pem" on your local machine
Step 3: ssh -i myEC2Key.pem root#ec2-107-20-4-100.compute-1.amazonaws.com
Step 4: Now try to ssh to EC2 instance that is on a private subnet without specifying the key, for example, try ssh ec2-user#ipaddress.
Hope this will help.
Note: This solution is for Mac.