CentOS 7.5 SSH skips id_rsa with blank passphrase

General support questions
Post Reply
debugnetiq1
Posts: 1
Joined: 2018/08/04 23:32:30

CentOS 7.5 SSH skips id_rsa with blank passphrase

Post by debugnetiq1 » 2018/08/05 00:02:02

Hi

Spent hours on this and still no resolution.
The ask is how to force ssh to use a blank-passphrase id_rsa private key when establishing a connection to a client.
The context is running Azure ARM templates which invoke on the master node Ansible to provision "client" nodes in fully automated mode.
Ansible does not support passphrase protected private keys but ssh will just skip the id_rsa if it has no passphrase. As a result Ansible playbooks fail.
HOWEVER if after the failed deployment I login to the master, generate a new blank-password key-pair with ssh-keygen and update the clients authorized_keys with the newly generated id_rsa.pub, then replace the ~.ssh/id_rsa with the newly generated one and restart sshd everywhere, then ssh works just fine with the freshly generated blank-passphrase id_rsa.

By the nature of ARM deployment the SSH key-pair must be generated externally then provided to the deployment scripts via secure storage.

To mention that the the exact same id_rsa private key generated and working above, will no longer be working in the next template deployment run with exactly same host names, etc - and ssh will again skip the key and ask for a passphrase when connecting to clients.

This approach won't work however because the Azure Resource Manager will generate brand new VMs from scratch every time it deploys the template, and one of the extensions has a "CommandToExecute" clause that launches the Ansible script, after all keys have been setup.

I've seen people proposing ssh-agent and ssh-add tricks for using id_rsa with a passphrase while cheating ansible to think there is no passphrase - this does not work either because ssh-add will always get in interactive mode asking for a passphrase.

As a side note the same mechabism with blank passphrase id_rsa private keys works just fine in Ubuntu - where ssh happily accepts the blank passphrase private key.

Here is a comparison of the 2 ssh scenario all identical up to the point of "debug1: Trying private key: .ssh/id_rsa"
1) id_rsa private key generated in previous template deployment but used in the current deployment (with right public key in authorized_keys, etc)
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: .ssh/id_rsa <<< differences start below
debug2: no passphrase given, try next key
<<< skipping the key
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.

2) Freshly generated id_rsa private key in current run, with corresponding public keys in authorized_keys, etc (after failed deployment the VMs are accessible)

debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: .ssh/id_rsa <<< all fine if id_rsa generated in current run on the master VM
debug3: sign_and_send_pubkey: RSA SHA256:Sls3HJ3LuD4XiqiqRQ0Bc+kbs2ICro4qQEVXXTDUt0E
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).

Post Reply