### Info ### I have 2 remote machines, both are Linux and same OS version. When I tried to SSH to the machine as one of the user inside via public key, machineA works but machineB get stucked after offerring the public key. From what I understand, SSH uses StrictModes by default which requires: - In

/etc/ssh/sshd_config

, contains

yes

and

.ssh/authorized_keys

-

/home/

with

750

or stricter -

/home//.ssh

with

700

or stricter -

/home//.ssh/authorized_keys

with

600

or stricter ### What I have done? ### For my requirements, I need the

of

to be managed by another user, let's say

. So I have done the following configurations to allow

to manage

's

chmod 750 /home/
chmod 700 /home//.ssh
chmod 600 /home//.ssh/authorized_keys
setfacl -m u::rwx /home/
setfacl -m u::rwx /home//.ssh
setfacl -m u::rwx /home//.ssh/authorized_keys

So I enter both machineA & machineB as admin via password and paste my public key into

/home//.ssh/authorized_keys

When I tried SSH to both system via Putty, machineA works but machineB fails. ### Loggings ### This is the event logs of putty when try to SSH to machineB, it's stuck after

public key

And this is the

-f /var/log/auth.log

at machineB: I check these configurations at both machines: - ✅ownership of file/directory is the user - ✅permission is same as previous statement - ✅both machines had same configurations I also tried

/usr/sbin/sshd -d -p 2222

at target machine and SSH to the system via command prompt using

-i C:\path\to\private-key -p 2222 @

and this is the log I got: ### Others things tried ### - Revoke all ACL permission on machineB, and able to SSH to machineB via public key after that. - Set

no

in

/etc/ssh/sshd_config

at machineB, and it works afterwards. But I know this is not a good idea. - Check

/etc/ssh/sshd_config

at machineA, and it has

yes

commented, but I believe it's enabled by default. ### Questions ### - What configurations that I may missed? - Is it related to proxy? Because machineA is behind a proxy while machineB is not. Any help or insight is appreciated :D

I'm working from the URL I found here: http://web.archive.org/web/20160404025901/http://jaybyjayfresh.com/2009/02/04/logging-in-without-a-password-certificates-ssh/ My ssh client is Ubuntu 64 bit 11.10 desktop and my server is Centos 6.2 64 bit. I have followed the directions. I still get a password prompt on ssh and I'm not sure what to do next.

I tried to install HAProxy 2.6.12 in TCP mode to do load balancing (round robin) between 2 NoMachine 8.16.1 ECS (Enterprise Cloud Server) accepting NX protocol (SSH-like). NoMachine is a remote desktop solution. I use 4 VM (Debian 12): - 1 NoMachine Client (NX or SSH) - 1 HAProxy - ECS 1 = 1st member of the cluster - ECS 2 = 2nd member of the cluster It's working but I get a server identity warning each time I connect to an ECS of the cluster. :( The RSA public keys of the 2 ECS of the cluster are not saved together in a file called "/home/my_user/.nx/config/hosts.crt". It seems that each time I connect to an ECS, its public key overwrites the key of the other ECS already in the hosts.crt file. I actually don't understand the logic of this behaviour. NB: ECS supports SSH protocol and it works like a charm, I get a server identity warning only the 1st time I connect to HAProxy (I see the public key of HAProxy server in /home/my_user/.ssh/known_hosts). Any solution at HAProxy level or is it a pure NX protocol (no more open source since 2008!) problem ? SSH could be an alternative to NX but it is less performant... Thanks! haproxy.cfg (a little bit messy ;) ) global #log /dev/loglocal0 #STP log 127.0.0.1:514 local0 info log /dev/loglocal1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon defaults logglobal #STP modetcp #STP #optionhttplog optiondontlognull timeout connect 5000 timeout client 50000 timeout server 50000 #STP frontend ecs-in mode tcp # HAProxy listening port bind *:4000 default_backend backend-ecs # redondant with default ? log global backend backend-ecs mode tcp balance roundrobin # ECS listening port # NO send-proxy : NO go-mmproxy server ecs1 172.16.104.175:4000 check server ecs2 172.16.104.178:4000 check #server ecs3 172.16.104.179:4000 check # redondant with section 'global' ? log 127.0.0.1:514 local0 info frontend ecs-in-ssh mode tcp # HAProxy listening port bind *:22 default_backend backend-ecs-ssh # redondant with section default ? log global backend backend-ecs-ssh mode tcp balance roundrobin # ECS listening port server ecs1 172.16.104.175:22 check server ecs2 172.16.104.178:22 check #server ecs3 172.16.104.179:22 check # redondant with section 'global' ? log 127.0.0.1:514 local0 info

I have an Alma Linux 9 server machine with SSH root access through a custom port. The access is fine but should be with SSH Keys. We have keys, but we need to give the Public Key to the AlmaLinux server and hold the private key on machines in the office. This is the way it's always worked very well before on CentOS 7.9 systems. But whatever I've tried, can't get this to work on AlmaLinux . 1. The /root/.ssh/authorized_keys file contains two lines. I have manually added the second line so the public key is inside this file; ssh-rsa AAAAB3 ... obscured ... w+P1bZNsUU0Zw== plesk-ssh-terminal AAAAB ... my obscured public key ... rM5sO9/8JgiEw== The initial line is from the PLesk which runs on the server. Plesk is a terrible thing but I don't think I need to deal with that for sorting this out. The initial public key is required for the in-Plesk browser terminal functionality. 2. The /etc/ssh/sshd_config file has been updated based on data from the fully working sshd_config from the CentOS system which works perfectly. # $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ Include /etc/ssh/sshd_config.d/*.conf # custom port. Non Key login with password works on this port. Port 1234 HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # SyslogFacility AUTH # I have updated this. But failed with AUTH only as well. SyslogFacility AUTHPRIV PermitRootLogin yes # I Have also tried PermitRootLogin prohibit-password PubkeyAuthentication yes PasswordAuthentication no # Below just to test if they helped. Seemed not. GSSAPIAuthentication no GSSAPICleanupCredentials yes # Also tried both of these: # UsePAM no # UsePAM yes 3. I have spent a day reading and checking so much on various guides for how to set this up and almost all guides expect me to build the Key on the server itself, however, the key is generated in our office and the public key is then given to the server. The key is given a custom name and then stored in /root/.ssh/.pub . The key is contained in the authorized_key file, outlined above. 4. There are two .conf files in /etc/ssh/sshd_config.d/ ; I have not touched these but between them they say: Include /etc/crypto-policies/back-ends/opensshserver.config SyslogFacility AUTHPRIV GSSAPIAuthentication yes GSSAPICleanupCredentials no UsePAM yes X11Forwarding yes PasswordAuthentication yes # Redhat file: ChallengeResponseAuthentication no Files are 50-cloud-init.conf and 50-redhat.conf . Not sure why they're there or what their purpose is (AlmaLinux !== Redhat) and server is not a cloud. Anyways... So, what am I missing for making the server to allow only SSH root connection with a private key file ? As I write this out I suspect the .conf files are causing a mess as they I believe overwrite the base /etc/ssh/sshd_config file. Should everything look like it works ok if I simply sidestep these .conf files? Or, as mentioned, am I missing something obvious?

I am building a set of bash scripts which basically prepare apache virtual hosts, git repositories and other stuff on a cloud server. So far so good, everything is working, but a big problem occurred: **MySQL database and users creation**. The current scripts use ssh with keys to authenticate to the cloud server and everyone from my team can execute commands. I want to keep it this way and somehow let them create new MySQL database and user without needing to login to mysql as root or any other user with high privileges, but I don't have any solution for this. **Idea #1** is to create a new mysql user without password and give it full rights (like root) but make it usable only @'localhost'. **Idea #2** is to store the password for this MySQL control user in a file and make it accessible only to the current ssh user which the other scripts use. Then the mysql login will use this stored password to login and create the database and user. I don't know which option is better and I know they are dangerous. I ask for opinion and any better ideas.

How do admins typically distribute Ansible .pub keys to clients in an early environment? Do they just script that can run ssh-copy-id to multiple machines? I've looked at other forums and users said to use Ansible to distribute keys, but how can you distribute keys if there's not already one on the client? (I'm not that deep into Ansible, I'm just trying to connect the dots) EDIT: I created a inventory file for my lab environment called "inv.ini". Running the command ansible -i inv.ini clients -m ping shot back "Permission Denied" errors for each client within the group. I used ssh-keygen to generate a RSA key for my admin account, and copied them to each client (manually). After this, the above command worked.

There are endless number of helpful articles and answers on how set up ~/.ssh/config (e.g., this one's pretty good ), but none of them mentions what to do if the private key is also password protected.

About SSH I know the following command works:

ssh -i id_rsa @

Of course: * The remote server must be running * The **passphrase** of the id_rsa key is requested and if it is valid then the SSH connection happens in peace Until here all is ok --- I want to know if is possible test the passphrase but without doing an attempt of connection to the remote server. It in case: * _If_ the server is down due maintenance _and_ is need it verify if the passphrase is correct **Remember**: if the server is down then is not possible execute the ssh -i id_rsa @ command. _If is possible:_ **Question** * How to verify the passphrase of a key but without doing an attempt of ssh connection? Therefore something like:

id_rsa
Write passphrase: 
Passphrase is correct

I am trying to login to remmina using the ssh .pub key. but when I try to connect it is asking me to ssh private key passphrase. I do not know what I am doing wrong but here is a debug log. [SSH] ssh_config_parse_line: Unsupported option: SendEnv, line: 53 [SSH] ssh_config_parse_line: Unsupported option: HashKnownHosts, line: 54 [SSH] ssh_config_parse_line: Unsupported option: GSSAPIAuthentication, line: 55 [SSH] socket_callback_connected: Socket connection callback: 1 (0) [SSH] ssh_client_connection_callback: SSH server banner: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 [SSH] ssh_analyze_banner: Analyzing banner: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 [SSH] ssh_analyze_banner: We are talking to an OpenSSH client version: 7.2 (70200) [SSH] ssh_packet_userauth_failure: Access denied. Authentication that can continue: publickey [SSH] ssh_agent_get_ident_count: Answer type: 12, expected answer: 12 [SSH] ssh_packet_userauth_failure: Access denied. Authentication that can continue: publickey [SSH] ssh_packet_userauth_failure: Access denied. Authentication that can continue: publickey [SSH] ssh_pki_import_pubkey_file: Error opening /home/Workstation/.ssh/id_ed25519.pub: No such file or directory [SSH] ssh_pki_import_privkey_file: Error opening /home/Workstation/.ssh/id_ed25519: No such file or directory [SSH] ssh_pki_import_pubkey_file: Error opening /home/Workstation/.ssh/id_ecdsa.pub: No such file or directory [SSH] ssh_pki_import_privkey_file: Error opening /home/Workstation/.ssh/id_ecdsa: No such file or directory [SSH] ssh_packet_userauth_failure: Access denied. Authentication that can continue: publickey [SSH] ssh_packet_userauth_failure: Access denied. Authentication that can continue: publickey [SSH] ssh_pki_import_pubkey_file: Error opening /home/Workstation/.ssh/identity.pub: No such file or directory [SSH] ssh_pki_import_privkey_file: Error opening /home/Workstation/.ssh/identity: No such file or directory Can anyone help me to connect to via ssh on remmina using public key?

I have a Raspberry PI Pico laying around and I was thinking about creating a device that, when I need to authenticate myself on Linux, I could just click a button soldered to the Pico, which would then send a message to the computer that would authenticate myself. This device would be connected to a secure computer, so no problem. The question is, how can I do it? I have no experience with Linux programming, so I don't know if there's already a service or library that could be used for that. I know that YubiKey has devices with a button that works something like that, but I also read that they need internet connection to work, which is a no-no.

When reading gnome-keyring-daemon manual, one can see pretty clearly that the --components option has four valid values: ssh, secrets, gpg, and pkcs11. However, I couldn’t find any detailed explanation on these four options. Could someone detail the **use** and the **field of use** of each component of gnome-keyring-daemon? (For instance it is obvious to me the ssh component is used to automatically decrypt ssh private-keys passphrases and feed them to ssh but other components (especially their field of use) remain obscure to me.)

I have an old Server (Centos 4 - yes it will be upgraded but not yet!) and a new Backup machine (Rocky 9.5). I previously had rsync from the server to a previous incarnation of the backup machine (Centos 8) working, but the backup server OS died (when I tried to update pacakges...). I want to use rsync -e ssh ... to mirror files from the Server to the Backup. The issue I have is in getting the two servers to talk over SSH. I have overcome most hurdles by adding into the Backup's SSHD config:

#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa

That's overcome the initial hurdle of getting old (considered insecure, but this is on my own private network) protocols. But I can't figure out why the key's don't work. * On Backup I generated a new key that should be SHA1:

-sh
    ssh-keygen -t rsa -t ssh-rsa -f ssh_host_rsa_key

* I did also try with just -t rsa and just -t ssh-rsa. As per man ssh-keygen: > This flag may also be used to specify the desired signature type when signing certificates using an RSA CA key. The available RSA signature variants are ssh-rsa ... I was trying to use that to create a SHA1 rather than SHA256 signature. * But the Server fails to connect:

ssh_rsa_verify: cannot handle type rsa-sha2-256
    key_verify failed for server_host_key

How do I generate a key that the Server will be acceptable with? For info, the SSH version on Backup is OpenSSH_8.7p1, OpenSSL 3.2.2 and on ServerOpenSSH_3.9p1, OpenSSL 0.9.7a. Additional info, the response on the Server when attempting the connection (actual IP addresses changed to x.x.x.): [root@server ssh]# ssh -vvv x.x.x.5 root@backup OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to x.x.x.5 [x.x.x.5] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug3: Not a RSA1 key file /root/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7 debug1: match: OpenSSH_8.7 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.9p1 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1-sha1,kex-strict-s-v00@openssh.com debug2: kex_parse_kexinit: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: kex_parse_kexinit: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr debug2: kex_parse_kexinit: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr debug2: kex_parse_kexinit: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: kex_parse_kexinit: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-sha1 debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: mac_init: found hmac-sha1 debug1: kex: client->server aes128-ctr hmac-sha1 none debug2: dh_gen_key: priv key bits set: 161/320 debug2: bits set: 512/1024 debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 2 debug1: Host 'x.x.x.5' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:2 debug2: bits set: 513/1024 ssh_rsa_verify: cannot handle type rsa-sha2-256 key_verify failed for server_host_key

For brevity I talk about PGP, but GnuPG or OpenPGP are meant as well and gpg is the OpenPGP encryption and signing tool for it. When initially establishing an email connection with someone, both parties have to exchange their public keys. If this exchange is done in person, the keys may be used right away. If they are mutually sent to each other by email, users are advised to check the **fingerprints of both public keys** by independent means rather than email. They can do so e.g. by telephone. Email is considered unsafe and a man in the middle (MIM) might intervene, replace the sent public key by another one from a key pair generated for himself on behalf of the original sender's email account. This theoretical threat works as long, as MIM is able to intervene in all future encrypted emails sent to the other side using the replaced key. Such manipulation is immediately detected after the fingerprint check. That's why users are encouraged to verify the other side's public key by checking its fingerprint. The fingerprint must not be received by the same communication means. Can this rule be relaxed, if one of the two got the other side's public key on a safe way, e.g. by 1. downloading it from a (non-compromised) https website, comparing it with the fingerprint displayed there and then using this key to send his own public key in a signed and encrypted message. Signing would prevent unnoticed manipulation of the email and encryption would safeguard MIM from knowing that the email is part of an initial key exchange. This email with attached own public key (by which any receiver could check, if it is unaltered) would be encrypted the other side's https-downloaded public key (lst's assume that the other side is the only one that has access to the corresponding private key). 2. receiving the other side's public key in a signed and encrypted email, when the sender uses the receiver's public PGP key which had been verified by the sender before (a situation which might arise when one side generates a new pair of private/public keys for himself and attaches his new public key to such a message. It might also arise for the second part of an initial key exchange when one public key was transferred according method 1. or after only one side has verified the receiver's public key). What might be the weak points of such a simplified procedure?

I am trying to connect to an AWS EC2 instance from my MacBook Pro using VSCode. I am able to connect to the EC2 instance through the terminal by navigating to the Downloads folder (where my key pair .pem file is) using the command:

-shell
ssh -i "Key-Pair.pem" ec2-user@ec2-**-***-**-***.ap-northeast-1.compute.amazonaws.com

My terminal shows me

-shellsession
[ec2-user@ip-***-**-**-*** ~]$

However, when trying to connect to the AWS instance from VScode I get the error

Load key "/Users/****/Downloads/Key-Pair.pem": Operation not permitted
ec2-user@**.***.**.***: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
local-server-1> ssh child died, shutting down

It seems as though my key pair .pem file is not able to authenticate with the AWS instance. For reference this is what my config file looks like for this instance

Host PM.ByBit.SMM
    Hostname **.***.**.***
    User ec2-user
    IdentityFile /Users/****/Downloads/Key-Pair.pem

If I use pubkey auth from e.g.: an Ubuntu 11.04 how can I set the ssh client to use only password auth to a server? (just needed because of testing passwords on a server, where I default log in with key) I found a way: mv ~/.ssh/id_rsa ~/.ssh/id_rsa.backup mv ~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub.backup and now I get prompted for password, but are there any offical ways?

How and where can I check what keys have been added with ssh-add to my ssh-agent?

Trying to set up a SSH Cert Authority so I can centralize new key setup rather than modifying the authorized keys on each of my machines. I found something really odd - the keys that I develop work only if the user keys are RSA style keys and will fail with ED25519 style keys. I tested and the failure happens depending on the user key type, so RSA user keys can be signed by both RSA and ED25519 style CA keys but then surprisingly a ED25519 key CA can signs RSA keys which work but when the same CA is used to sign ED25519 keys, the resulting key will not work. `ssh-keygen -t ed25519 -f userkey ssh-keygen -s my-ssh-ca-private-key -I some-identifier userkey.pub cat userkey userkey-cert.pub > key_with_cert` When I take the key_with_cert file to the new computer; it works if and only if I remove the "*-t ed25519*". The output from ssh -vv -i key_with_cert user@example.com: RSA style key that works https://f000.backblazeb2.com/file/backblaze-b2-public/debug_output_rsa ED255519 style key using "*-t ed25519*" that fails https://f000.backblazeb2.com/file/backblaze-b2-public/debug_output_ed25519 Any ideas on why the key type is causing a problem? ED25519 has been around for a while so I expect similar handling between RSA and ECC keys.

I am setting up Git usage on Raspbian. This worked OK:

cd .ssh
   ssh-keygen -t rsa -b 4096 -C "name@asdf.com"
   eval $(ssh-agent -s)
   ssh-add ./id_rsa_rpi

After I created the keys locally, I went to GitHub and added a public key there. It all worked OK, I cloned a few repositories without problems. Confirmed it all with ssh -vT git@github.com However, after a shutdown yesterday and a powerup today, git pull didn't work: git@github.com: Permission denied (publickey). I had to repeat the following:

eval $(ssh-agent -s)
ssh-add .ssh/id_rsa_rpi

Now it works again. How do I make this permanent?

Context: 24.04 Ubuntu on Raspberry Pi The default user is ubuntu. For this discussion let's define different scenarios: 1) the directory /home/ubuntu/.ssh does not exist 2) an empty directory exists as: /home/ubuntu/.ssh 3) a file exists as /home/ubuntu/.ssh/authorized_keys Q1) Which, if any, scenarios force remote access password authentication require public key authentication? Q2) Is it enough to copy my public key (id_rsa.pub) from a MacBook, via USB memory stick, to the rPi: /home/ubuntu/.ssh/authorized_keys? or there some other item / setting that needs to be configured to enable remote ssh access (either password or public key)? Q3) What forces remote access via Public Key Authentication and exclude password authentication? The default user (ubuntu) has a passord, which enables terminal access via rPi's keyboard Q4) Is it possible to configure the default user (ubuntu) for remote ssh access via public key? or is it necessary to create a new user.

***UPDATED*** When I am trying to generate a public key it still gives me an error "error in libcrypto" Load key "breakthis": error in libcrypto ***Private key is given below*** I am trying to solve a Hack the box machine I was able to get a private key then I converted that private key into a hash for JOHNTHERIPPER and cracked it successfully But now when I try to login in through ssh I am getting the following error I have searched a lot but not able to resolve these error **** ssh -i id_rsa joanna@10.10.10.171 load pubkey "id_rsa": invalid format Load key "id_rsa": error in libcrypto joanna@10.10.10.171's password: *****