Oracle Linux: Can't Connect via SSH with "Permission denied"

刘泽宇

现象：
Not able to connect to a Linux system using a password-protected SSH Private Key from the Bastion system.

The Private Key's password is asked multiple times and eventually fails:

[opc@bastion ~]$ ssh -i ./.ssh/ssh_key opc@server
Enter passphrase for key './.ssh/ssh_key':
Enter passphrase for key './.ssh/ssh_key':
Enter passphrase for key './.ssh/ssh_key':
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[opc@bastion ~]$
The original SSH Private Key (in PPK format) is working outside the Bastion system.

原因：
In the below excerpt from the "ssh -vvv -i ./.ssh/ssh_key opc@server" command, it can be seen that the SSH Client is replying with "bad passphrase given, try again...":

debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: ./.ssh/ssh_key
Enter passphrase for key './.ssh/ssh_key':
debug2: bad passphrase given, try again...
Enter passphrase for key './.ssh/ssh_key':
debug2: bad passphrase given, try again...
Enter passphrase for key './.ssh/ssh_key':
debug2: bad passphrase given, try again...
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

The above means that the SSH Client is unable to use the provided password to decrypt the password-protected Private Key.

处理方法：
The OpenSSH Private Key present in the Bastion system needs to be regenerated (as per Doc ID 2490591.1) and the resulting file uploaded to the Bastion system.

Do ensure that the uploaded SSH Private Key is only readable by the intended user (in the above example, the "opc" user).
This can be achieved via the "chmod -v go-rwx ./.ssh/ssh_key" command (where "./.ssh/ssh_key" corresponds to the uploaded SSH Private Key).