In an attempt to harden the security of my servers, I’m taking my first steps in implementing key-based SSH logins.
However, the following confused me:
After setting up my public and private key, ssh-keygen opted me to secure the private key with a password. Following my own strict password policy, I let my password manager create a strong, lenghty password (which I don’t want or need to remember) and copy-pasted it into the terminal (using CTRL+SHIFT+V to paste). All well.
Then I transfered my public key to one of my servers (ProxMox running on Debian) with ssh-copy-id. Worked like a charm:
$ ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 2 key(s) remain to be installed — if you are prompted now it is to install the new keys
[email protected]’s password:
Number of key(s) added: 2
Now try logging into the machine, with: “ssh ‘[email protected]'”
and check to make sure that only the key(s) you wanted were added.
Here’s when my confusion starts:
I type the command exactly as shown above – ssh ‘[email protected]’
A full screen popup appears, telling me to “Enter password to unlock private key”
There’s no way for me to switch to my password manager (fancy Ubuntu 20.04 fullscreen popups, yay…)
I hit ‘Cancel’ since I have no way to copy-paste the required password from my password manager
…and next thing I know I’m logged in as [email protected]
How is this possible? I expected an ‘access denied’, ‘unable to login’ or ‘unable to access private key’, since the private key was never unlocked. But none of that – I’m just logged in. The only thing I see right after I’m logged in is this:
sign_and_send_pubkey: signing failed for RSA “/home/user/.ssh/id_rsa” from agent: agent refused operation
But after that, I can do whatever I want on the server. So… Is this how things are supposed to work? What’s the point of putting a password on your private key, if it’s ignored anyway? Sounds to me something is seriously broken, or am I missing something?
(P.S. – The ‘sign_and_send_pubkey’ message disappeared after unlocking the private key properly, but still I think I should not have been granted access to the server before the private key was unlocked, right?)