SSH key-based login succeeds without unlocking private key, what gives?

Spread the love

In an attempt to harden the security of my servers, I’m taking my first steps in implementing key-based SSH logins.
However, the following confused me:
After setting up my public and private key, ssh-keygen opted me to secure the private key with a password. Following my own strict password policy, I let my password manager create a strong, lenghty password (which I don’t want or need to remember) and copy-pasted it into the terminal (using CTRL+SHIFT+V to paste). All well.
Then I transfered my public key to one of my servers (ProxMox running on Debian) with ssh-copy-id. Worked like a charm:
$ ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 2 key(s) remain to be installed — if you are prompted now it is to install the new keys
[email protected]’s password:

Number of key(s) added: 2

Now try logging into the machine, with: “ssh ‘[email protected]'”
and check to make sure that only the key(s) you wanted were added.

Here’s when my confusion starts:

I type the command exactly as shown above – ssh ‘[email protected]
A full screen popup appears, telling me to “Enter password to unlock private key”
There’s no way for me to switch to my password manager (fancy Ubuntu 20.04 fullscreen popups, yay…)
I hit ‘Cancel’ since I have no way to copy-paste the required password from my password manager
…and next thing I know I’m logged in as [email protected]

How is this possible? I expected an ‘access denied’, ‘unable to login’ or ‘unable to access private key’, since the private key was never unlocked. But none of that – I’m just logged in. The only thing I see right after I’m logged in is this:
sign_and_send_pubkey: signing failed for RSA “/home/user/.ssh/id_rsa” from agent: agent refused operation
But after that, I can do whatever I want on the server. So… Is this how things are supposed to work? What’s the point of putting a password on your private key, if it’s ignored anyway? Sounds to me something is seriously broken, or am I missing something?
(P.S. – The ‘sign_and_send_pubkey’ message disappeared after unlocking the private key properly, but still I think I should not have been granted access to the server before the private key was unlocked, right?)

X ITM Cloud News


Leave a Reply

Next Post

Problems posting notifications from bash script started from cron (KDE)

Fri Sep 11 , 2020
Spread the love          I am using Kubuntu 20.04 Focal (KDE Plasma v5.18.5, KDE Frameworks v5.68.0, Qt v5.12.8) and I have a bunch of Bash scripts that are expected to post some notifications, to the user and this is the step I am currently having unresolved issues with. To post notifications I […]

Cloud Computing – Consultancy – Development – Hosting – APIs – Legacy Systems

X-ITM Technology helps our customers across the entire enterprise technology stack with differentiated industry solutions. We modernize IT, optimize data architectures, and make everything secure, scalable and orchestrated across public, private and hybrid clouds.

This image has an empty alt attribute; its file name is x-itmdc.jpg

The enterprise technology stack includes ITO; Cloud and Security Services; Applications and Industry IP; Data, Analytics and Engineering Services; and Advisory.

Watch an animation of  X-ITM‘s Enterprise Technology Stack

We combine years of experience running mission-critical systems with the latest digital innovations to deliver better business outcomes and new levels of performance, competitiveness and experiences for our customers and their stakeholders.

X-ITM invests in three key drivers of growth: People, Customers and Operational Execution.

The company’s global scale, talent and innovation platforms serve 6,000 private and public-sector clients in 70 countries.

X-ITM’s extensive partner network helps drive collaboration and leverage technology independence. The company has established more than 200 industry-leading global Partner Network relationships, including 15 strategic partners: Amazon Web Services, AT&T, Dell Technologies, Google Cloud, HCL, HP, HPE, IBM, Micro Focus, Microsoft, Oracle, PwC, SAP, ServiceNow and VMware