Yeah. But how does ssh server knows that it is a signed key. I understand with regular keys. But the problem is with the signed keys. On Tue, Apr 10, 2018 at 1:19 PM Scott Neugroschl <scott_n@xxxxxxxxx> wrote: > You do not use the Public key file as an identity file. Just the private > key. Do not use the .pub file with -i. > > > -----Original Message----- > From: openssh-unix-dev <openssh-unix-dev-bounces+scott_n= > xypro.com@xxxxxxxxxxx> On Behalf Of Naren K > Sent: Tuesday, April 10, 2018 10:36 AM > To: openssh-unix-dev@xxxxxxxxxxx > Subject: Signed SSH key issue with OpenSSH6.4p1 > > Hi All, > > Please pardon me if it is the wrong list to ask how-to etc. > > I am having an issue with the Signed SSH keys. I am being asked for the > passphrase for my signed public key, even though I don't have any. > > I am running CentOS7 with OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013. > > 1) I have ca server with ca user keys (ca-user-key.pub) > 2) I created user ssh rsa keys (user-id-org and user-id-org.pub). > 3) I signed the "user-id-org.pub" with "ca-user-key.pub" and generated > "signed-user-id-org.pub". > 4) I copied " ca-user-key.pub" to the destination server (dest1.domain.com) > and changed "TrustedUserCAKeys /etc/ssh/ ca-user-key.pub" in > /etc/ssh/sshd_config. > > 5) I am trying to get into "dest1.domain.com" using the " user-id-org " > as well as "signed-user-id-org.pub". [ ssh -i user-id-org -i signed- > user-id-org.pub user1@ dest1.domain.com ] > > However, I am being asked for the passphrase for signed-user-id-org.pub > which I don't have. Below is the output the I pasted from the terminal. > > [root@lab-linux1 .ssh]# ssh -i user-id-org -i signed-user-id-org.pub > user1@ dest1.domain.com Enter passphrase for key '/root/.ssh/ > signed-user-id-org .pub': > Enter passphrase for key '/root/.ssh/ signed-user-id-org .pub': > Permission denied (publickey,gssapi-keyex,gssapi-with-mic). > > But, If I change the ssh key names to id_rsa, id_rsa.pub and > id_rsa-cert.pub with simple using either " id_rsa " or " id_rsa-cert", I > can do SSH with out any issues and without any prompting. I am confused > here and I don't understand why I have to use only the id-rsa as opposed to > any name that I am pointing using the file path. > > Failed scenarios: > > 1. I tried giving the options using -o i.e (ssh -o 'IdentityFile > /root/.ssh/id_rsa' -o 'CertificateFile /root/.ssh/signed-cert.pub' > root@xxxxxxxxxxxxxxx). > > · command-line: line 0: Bad configuration option: certificatefile > > > > 2. Tried by changing the ~/.ssh/config or /etc/ssh/ssh_config > > · same problem, it says Bad configuration option: certificatefile > > > > 3. Tried renaming the files to test_id_rsa and test_id_rsa.pub and > test_id_rsa-cert.pub. > > · Asking for the passphrase of the signed cert. > > Successful Scenarios: > > 1. When I rename all the keys to the default named id_rsa, id_rsa.pub > and id_rsa-cert.pub. > > · No issues, I could ssh into the servers using either private key > or signed key. [assuming the file names are being automatically taken from > a switch case in the code base.] > > What Should I do? > > - Can anyone suggest me how to get around this issue. I want to use my > own naming convention and my custom location to the keys? > > > Any help is appreciated and Thanks in advance. > > NK. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev