pka passphrase not working



Hello, i am using openssh 4.3
Connecting raw to the server i get this header
"SSH-1.5-OpenSSH_4.3"

I built from source using the default options; configure, make and make
install.

The following is my sshd_config:

Port 22
Protocol 2,1
HostKey /usr/local/etc/ssh_host_key
StrictModes yes
MaxAuthTries 6
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no

My goal using this config mainly is to have it so a user must have a copy of
the private key, and their public key must be in the authorized_keys file
for that user.



What i would also like to do is have a passphrase for the private key. When
i do so with ssh-keygen, sshd wont load. a "cant load key" type of message
is given.

Secondly, if the user has the private key, and their public key is in the
authorized_key file, i would like sshd to then further authenticate with the
users local password. How can i make it so that PKA, passphrase and
password authentication both take place?

Currently with this config, when the user connects, the client tries PKA. if
successful, they are dropped to a shell. If PKA is not successful, they are
given a password prompt, to which the correct user password does not
succeed. I want to add a passphrase, and also require password
authentication following the PKA.


I created my public/private keys using this:
ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N "passphrase"

However, adding a passphrase to the private key causes sshd's failure to
load. Leaving it null causes sshd to load.



Relevant Pages

  • Re: Feature request
    ... >>case why can that not be send across on request in the handshake phase? ... > change his private key in any way, he could no longer be authenticated ... the passphrase is ... but the passphrase belongs to the private keyfile. ...
    (comp.security.ssh)
  • Re: SSH publickey auth
    ... > The goal of using Identity/Pubkey authentication is to remove the need ... > can prove you have the public and private key then you are granted ... You see here the mention of the "passphrase"? ... > authentication credentials 'follow' you. ...
    (Fedora)
  • Re: How can I secure a Debian installation?
    ... The passphrase protects the private key from being accessed. ... being more secure than a password login because any Tom, ...
    (Debian-User)
  • Re: usefulness of changing ssh ports
    ... RY> So, it you DO use a passphrase to protect your keys, then the ... RY> chance of a successful attack are about the same as guessing your ... I'd say that overall, publickey is stronger, but there are other ... your private key file, ...
    (comp.security.ssh)
  • Re: Crypto Question
    ... > the passphrase used for the private key? ... > 'password' then does it become irrelevant what key size I use to encrypt ... is only supposed to protect the private key. ... PGP / XML GATEWAY APPLIANCE ...
    (Security-Basics)