Dear, Is there any detail manual about how to setup ssh user certificates? I looked at all the man pages for ssh-keygen, ssh and sshd, but still can't successfully setup user certificates. I write my steps below and would you please help me check whether I'm wrong in anything? Much appreciated! 1) only use one machine. (Redhat RHEL 5, with OPENSSH 5.4) # ssh-keygen -s /root/.ssh/id_rsa -I id_test -n root /root/.ssh/id_rsa.pub then I get the certificate: /root/.ssh/id_rsa-cert.pub 2) edit /usr/local/etc/sshd_config with : TrustedUserCAKeys /root/.ssh/id_rsa.pub 3) # ssh -i /root/.ssh/id_rsa-cert.pub localhost ( in my opinion if I use this certification I shall not get prompted for password when I ssh to localhost, however it always prompt me for the passphrase, I get quite confused because my id_ras don't have a passphrase at all! and I also tried to use an identity that has a passphrase, but it can't work too. I just don't know what should be the id_rsa-cert.pub's passphrase ? is there anything that I was wrong ?? ) I attached my ssh and sshd debug log for you reference. Thanks a lot! open-ssh fans SSH log ---------------------------------------------- debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /root/.ssh/id_rsa-cert.pub debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa-cert-v00@xxxxxxxxxxx blen 1075 debug1: ssh_rsa_verify: signature correct debug2: input_userauth_pk_ok: fp 0f:06:06:20:6e:3e:80:50:ee:16:23:fb:48:59:d5:21 debug3: sign_and_send_pubkey debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type <unknown> Enter passphrase for key '/root/.ssh/id_rsa-cert.pub': debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type <unknown> debug2: bad passphrase given, try again... Enter passphrase for key '/root/.ssh/id_rsa-cert.pub': debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type <unknown> debug2: bad passphrase given, try again... Enter passphrase for key '/root/.ssh/id_rsa-cert.pub': debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type <unknown> debug2: bad passphrase given, try again... debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password root@localhost's password: SSHD log ---------------------------------------------- debug3: monitor_read: checking request 10 debug3: mm_request_receive_expect entering: type 11 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for root from 127.0.0.1 port 35662 ssh2 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: ssh_rsa_verify: signature correct debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug1: ssh_rsa_verify: signature correct debug3: mm_answer_keyallowed: key_from_blob: 0x8468690 debug3: found certificate constraint "permit-X11-forwarding" len 0 debug3: found certificate constraint "permit-agent-forwarding" len 0 debug3: found certificate constraint "permit-port-forwarding" len 0 debug3: found certificate constraint "permit-pty" len 0 debug3: found certificate constraint "permit-user-rc" len 0 Accepted certificate ID "id_test" signed by RSA CA 0f:06:06:20:6e:3e:80:50:ee:16:23:fb:48:59:d5:21 via /root/.ssh/id_rsa.pub debug3: mm_answer_keyallowed: key 0x8468690 is allowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa-cert-v00@xxxxxxxxxxx Postponed publickey for root from 127.0.0.1 port 35662 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 2 failures 0 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices debug1: userauth-request for user root service ssh-connection method password debug1: attempt 3 failures 1 debug2: input_userauth_request: try method password
