--On Friday, May 08, 2015 09:58:32 AM -0400 "James B. Byrne" <byrnejb at harte-lyne.ca> wrote:> While attempting to debug something else I ran across this: > > ssh -vvv somehost > . . . > debug1: Connection established. > debug1: permanently_set_uid: 0/0 > debug1: identity file /root/.ssh/identity type -1 > debug1: identity file /root/.ssh/identity-cert type -1 > debug3: Not a RSA1 key file /root/.ssh/id_rsa. > debug2: key_type_from_name: unknown key type '-----BEGIN' > debug3: key_read: missing keytype > debug3: key_read: missing whitespace > > [snip] > > The password-less connections complete in any case but I am perplexed > as to what is the problem with the root identity key that ssh is > reporting. > > Can anyone explain to me what this means?IIRC there was a time when id_rsa could refer to either an RSA1 key or RSA2 key. I believe ssh is first trying to read the file as an RSA1 key, finding problems, and then opening it as an RSA2 key. In fact, if you scroll down from there you probably see a line like the following: debug1: identity file /home/somebody/.ssh/id_rsa type 1 which is a successful read (note the type is 1 and not -1). In other words, it's nothing to worry about. The messages are a bit different under CentOS 7 (I suspect you're running CentOS 6 on the client), but they say about the same thing. While the other followups would be good ideas if you actually had a problem logging in, it sounds like you don't have a problem and the question was just a curiosity thing. Devin
--On Friday, May 08, 2015 01:23:57 PM -0400 m.roth at 5-cent.us wrote:> I would *strongly* recommend editing your /etc/ssh/sshd_config, and > comment or delete the fallback, and replace it, like: ># Protocol 2,1 > Protocol 2 > > That way, it won't even try.While forcing protocol 2 on the server is not a bad idea, it won't help here. Remember, that's a client-side debug message that the OP was seeing. I can verify that the client still produces that message even when talking to a server that does only protocol 2. Forcing protocol 2 on the client side also does not suppress that message, so the key-type-determination algorithm is not likely dependent on the protocol version. Devin