Ubuntu: SSH key-based auth asks for password on first login [duplicate]


This question already has an answer here:

I have a fresh Ubuntu 16.04.1 LTS system and have noticed that key-based SSH authentication asks for the account's password the first time I login to the machine and subsequent SSH attempts work without prompting for a password.

So far, the behavior can be reproduced by rebooting the machine. There may be a timeout as well, but I'm in the process of setting up the machine and haven't encountered it yet.

In general this is pretty neat as it mitigates a compromised SSH key, though it has a drawback for automated processes; in my case config management with Ansible.

Where is the SSH server behavior configured? Specifically, to ask for password authentication even if a key-based auth succeeds, but only the first time the key is used to open a session.

I'd like to keep this "two-factor"ish behavior for interactive sessions, but disable it (i.e. do not prompt for password) for certain accounts (e.g. a dedicated ansible user).



I found the answer on another stack exchange. The reason for this behavior is that the home directory is encrypted!


Is your home dir encrypted? If so, for your first ssh session you will have to provide a password. The second ssh session to the same server is working with auth key. If this is the case, you could move your authorized_keys to an unencrypted dir and change the path in ~/.ssh/config.

I tracked this by looking through /var/log/auth.log, and specifically, the line:

pam_ecryptfs: Passphrase file wrapped

Searching for that led me to the other stack exchange answer.


If you remove the password from the private key the SSH agent will not ask for one. Assuming that the machine-only account is called ansible like in the question you can achieve it with this command:

sudo -u ansible ssh-keygen -f ~ansible/.ssh/id_<TYPE> -N ''  


sudo ssh-keygen -f ~ansible/.ssh/id_<TYPE> -N ''  

depending on your access rights management configuration (replace <TYPE> with the key type in question, e. g. rsa, ecdsa, ed25519 etc.).

Password-less machine keys are common practice and safe enough as long as one

  • uses a unique dedicated key for the service using the key (not the same as the key used by the service developer(s)!) and

  • replaces the key and removes it from all authorized_keys files at the first sign of a potential compromise (which is facilitated by the measure described at the previous bullet point).

Of course the key file should have the access mode 0500 to restrict access to the machine account only. That's the default access mode for keys created with ssh-keygen.

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »