incorrect passphrase supplied to decrypt private key

fastbikkel

fastbikkel

Dear readers,

I have already searched quite a lot for a possible answer on this, but it looks like I'm either looking in the wrong direction, or I have something that is not so common.

After trying to improve my SSL security, on each boot I get a list of errors in the order of this:
Code: 
Error loading host key "/etc/ssh/ssh_host_ed25519_key" : incorrect passphrase supplied to decrypt private key.
Could not load host key: /etc/ssh/ssh_host_ed25519_key

This all started after i ran these commands, in this order :
Code: 
rm /etc/ssh/ssh_host_*key*

ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key < /dev/null          # i add a complex passphrase when requested.
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key < /dev/null               # i add a complex passphrase when requested.

ssh-keygen -G /etc/ssh/moduli.all -b 4096
ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all
mv /etc/ssh/moduli.safe /etc/ssh/moduli
rm /etc/ssh/moduli.all

Now when I connect with Putty, I do get a new SSL certif notifier and I can connect perfectly.
I do not receive errors on boot if I do the above commands without passphrase.
But I do want the passphrases because apparently it enhances my security by encrypting my private keys.
However, I am at a loss why it mentions an incorrect passphrase when I can run the commands (with passphrase) without issues.
 
SSL and SSH have nothing to do with each other. Both use certificates, yes, but use them in different ways. Your issue has nothing to do with SSL.

Don't put a password on the host keys. If you want to improve your security set a password on your user's private key.

In order to fix this mess, remove the incorrect host keys (those /etc/ssh/ssh_host_*_key files) and (re)start the sshd(8) service. Proper host keys will be automatically generated if they're missing.
 
Hi SirDice,

thanks for the quick reply, i appreciate that.

I am sorry for the confusion about ssh/ssl, i see what you mean.

In response to your suggestion on the action to take...
I have done rm /etc/ssh/ssh_host_*key* and restarted sshd with service sshd restart, but now it tells me :
Code: 
Performing sanity check on sshd configuration.
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Could not load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.

I possibly did a wrong restart.

Could I get the same if I just regenerate them without a passphrase?
 
If you look at the actual service script; /etc/rc.d/sshd and specifically the precmd routines, you'll see they should be created automatically if they don't exist. But now I'm starting to doubt when this actually gets executed. Try fully stopping, then starting the service; service sshd stop && service sshd start. A restart might be treated a little differently.

If all else fails, yes, you can also (re)create them by hand. Just look at the rc(8) script for exact ssh-keygen(1) options and filenames you need to use.
 
Thanks SirDice,

I will look at the full stop/start.
Very interesting stuff.

This is all part of me trying to improve security for a server that I want to put out there on the internet.
I am taking my sweet time in trying to shut as many doors as possible before I put it online.
 
fastbikkel said:
This is all part of me trying to improve security for a server that I want to put out there on the internet.
Click to expand...
With regards to ssh and other services, also take a look at blacklistd(8), security/sshguard and/or security/py-fail2ban.

fastbikkel said:
I am taking my sweet time in trying to shut as many doors as possible before I put it online.
Click to expand...
Take as much time as you need. But remember the very second you put that server online it's going to get hit by bots rattling on your doors. That's an unfortunate reality nowadays. So the best "defense" is to not enable services if you don't need or use them. They can't break into something if it's not available.
 
Your host private key is locked using passphrase and when the ssh try to read it can't unlock it. You can unlock it manually and then point ssh to use the unlocked private key using the following command:

openssl rsa -in privatekey.key -out unlocked_privatekey.key

Or when you generate the key at the first time do not specify the passphrase.

When you create a USER certificate/key THEN use the passphrase it's located under ~/.ssh/

mini howto:

1. Login on the server using the User which is member of the wheel group.

2. Generate the user public/private rsa key pair and provide a passphrase for the key
% ssh-keygen -t rsa
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter the passphrase

3. Authorize the public key
% cat /home/user/.ssh/id_rsa.pub >> /home/user/.ssh/authorized_keys

4. Copy the private key from the host to your windows OS computer
cmd
cd %userprofile%\Documents
scp user@domain:.ssh/id_rsa .

5. If you are using PuTTy convert the private key to the format that PuTTy uses.
start C:\Program Files\PuTTY\puttygen.exe
load an existing private key file from %userprofile%\Documents\id_rsa select All Files (*.*) to view all files
Save private key %userprofile%\Documents\username.ppk

6. On the host edit /etc/ssh/sshd_config
ChallengeResponseAuthentication no

7. Restart the sshd service
# service sshd restart

8. From your client machine start PuTTy
Enter Hostname/IP address of the server then under Connection->SSH->Auth select Browse and point to your %userprofile%\Documents\username.ppk key

9. If you are using Windows SSH client

Disable Inheritance of the id_rsa file and Remove all inherited permissions from the object. Then grant your Username Full Control of the file.
icacls id_rsa /inheritance:r /grant %username%:F

After that use
ssh user@domain -i id_rsa
 
Last edited:
Thanks a lot guys, i appreciate this.
I am looking into the answers and applying them as much as i can.
 
VladiBG said:
5. If you are using PuTTy convert the private key to the format that PuTTy uses.
start C:\Program Files\PuTTY\puttygen.exe
load an existing private key file from %userprofile%\Documents\id_rsa select All Files (*.*) to view all file
Save private key %userprofile%\Documents\username.ppk
Click to expand...
I reach this point.
I'm now looking for a solution on the internet for this. When i do these actions, upon opening my key file, puttygen tells me : couldn't load private key (unrecognised cipher name)
The first solutions i have seen is to remove the passphrase, but that goes against what im trying to do here. Because i have a passphrase with reason.
I confirmed im actually trying to load the private key, not the pub key.

Apparently it's not the number of bits that is blocking me (4096bit).
There are some suggestions on sites, but they are different from what im trying to achieve.

The search goes on.
 
Don't generate the private key on FreeBSD if you want to use it with PuTTY. Just use PuTTYgen to generate one and save it. Copy/paste the contents from the PuTTYgen screen (the part below "Public key for pasting into OpenSSH authorized_keys file") to the receiving host and your ~/.ssh/authotized_keys (this file can contain more than one key, you can have as many as you want).

The "receiving" end of the connection doesn't need to have your private key.
 
Useful on Windows, drag 'n drop PuTTY's Pageant into your "Startup" folder. Edit the shotcut and at the Target add the location of your key. This will make Pageant start when you login and automatically load your key. Within PuTTY make sure Connection -> SSH -> Auth -> Allow agent forwarding is enabled.

Copy/paste that public key to your ~/.ssh/authorized_keys on every server you want/need to login. The SSH agent forwarding will take care of the rest.
 
fastbikkel said:
When i do these actions, upon opening my key file, puttygen tells me : couldn't load private key (unrecognised cipher name)
Click to expand...
Hod did you generate your id_rsa and id_rsa.pub? Did you use ssh-keygen -t rsa

edit:
PuTTYgen Release 0.70 and FreeBSD 11.2-RELEASE-p7 work fine with 2048 and 4096
 
Again, don't generate the key on FreeBSD if you're going to use it with Putty. There's no reason to generate it on FreeBSD first only to convert it for use with PuTTY, that makes it unnecessarily complex. Generate the key with PuTTYgen and be done.
 
You must log in or register to reply here.
Back
Top