Missing begin marker error with public key ssh login
"Missing begin marker" is not really a problem, you get that message with successful passwordless public key logins.
You have a banner, so you probably have done some hardening. Make sure the following options are available to your user. You can add them at the end of your sshd_config file after a "Match User" line:
Match User root,user1
RSAAuthentication yes
PubkeyAuthentication yes
PermitRootLogin yes
PermitEmptyPasswords yes
PermitRootLogin is only required since you use root. I am not sure if PermitEmptyPasswords is required but it works for me.
Another (small) thing, don't sudo su -
, do sudo -i
.
Related videos on Youtube
Ravi Chandra
Updated on September 18, 2022Comments
-
Ravi Chandra over 1 year
I have two Redhat 7.3 machines. I want password-less ssh access to the machine2 from machine1. Here is what I have done. On machine1, I sudo (
sudo su -
) as a root and generated the rsa public and private keys usingssh-keygen
command with all default settings. These are present in/root/.ssh/
directory with namesid_rsa, id_rsa.pub
The permissions for .ssh are as followsdrwx------ 2 root root 54 Jan 17 05:08 . drwxr-x---. 7 root root 4.0K Jan 17 04:08 .. -rw------- 1 root root 1.7K Jan 17 06:18 id_rsa -rw-r--r-- 1 root root 414 Jan 17 06:18 id_rsa.pub -rw-r--r-- 1 root root 4.0K Jan 17 07:37 known_hosts
I copied the contents of
id_rsa.pub
to machine2 into the fileauthorized_keys
in/root/.ssh
created by myself as a root. permissions of .ssh directory on machine2 are as followsdrwxr-xr-x 2 root root 28 Jan 17 06:32 . dr-xr-x---. 6 root root 4.0K Jan 17 03:28 .. -rw-r--r-- 1 root root 414 Jan 17 06:32 authorized_keys
Now I tried to ssh (with verbose) from machine1 to machine2 using the following command. But it still asks for the password to connect. I am expecting the connection should be established without asking for password.
I tried changing the permissions of .ssh and authorized_keys to 700 and 600 on machine2 as suggested by SSH asks for password, even with public key installed But the problem persists.
I have given the debug output of ssh command. It works as expected till the server accepts the public key. After that I notice debug1: key_parse_private2: missing begin marker might be causing this issue. Can any one suggest me a way out of this problem?
[root@machine1 ~]# ssh -v machine2 OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Connecting to machine2 [x.x.x.x] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr [email protected] none debug1: kex: client->server aes128-ctr [email protected] none debug1: kex: [email protected] need=16 dh_need=16 debug1: kex: [email protected] need=16 dh_need=16 debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: RSA X:X:X:X:.... debug1: Host 'machine2' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received ======================================================== | The system is to be used only by authorized users. | | | | By continuing to use the system, the user represents | | that he/she is an authorized user. | | | | Use of the system constitutes consent to monitoring | | and review. | | | | I have received, read and understand the Company's | | Acceptable Use Policy and agree to abide by the | | policy and its terms and conditions. | | | ======================================================== debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /root/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: key_parse_private2: missing begin marker debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_dsa debug1: Trying private key: /root/.ssh/id_ecdsa debug1: Trying private key: /root/.ssh/id_ed25519 debug1: Next authentication method: password root@machine2's password:
-
Romeo Ninov over 7 yearsTry to change permission on machine2, directory /root/.ssh to be 700
-
Ravi Chandra over 7 years@Romeo Ninov, I have already tried that and mentioned in this post too... It did not solve the problem.
-
Romeo Ninov over 7 yearsCan you provide few lines from begin of id_rsa and the content of authorized_keys and id_rsa.pub. And check for empty lines in authorized_keys
-
Ravi Chandra over 7 yearsid_rsa: -----BEGIN RSA PRIVATE KEY----- MKIEpAIBdAKCAQEjtVQ5Zh1inry2g8XYzmUk5Dcg9n9++jRY+enwh+9qWJVx7UGX YR6H0SJT7dFCe7ZGJGwgJrxRLrcOh3ujOJ3+tSS1iBoHBUpfucExsDD8JRE8DduA id_rsa.pub: ssh-rsa AXBAB3NzaC1yf2EAAAADAQABAAXBAQ
-
Ravi Chandra over 7 yearsThere is no empty line authorized_keys and the id_rsa.pub and authorized_keys are the same
-