Re: ssh-add no longer accepts passphrase

To: debian-user@lists.debian.org
Subject: Re: ssh-add no longer accepts passphrase
From: David Christensen <dpchrist@holgerdanske.com>
Date: Tue, 5 Aug 2025 13:10:09 -0700
Message-id: <[🔎] 889d7d15-ee68-4868-ba4e-a4a70d485dd2@holgerdanske.com>
In-reply-to: <[🔎] aJIL6nMfbJiGfy4n@phcomp.co.uk>
References: <[🔎] aJIL6nMfbJiGfy4n@phcomp.co.uk>

On 8/5/25 06:49, Alain D D Williams wrote:

I am running Debian 12 - Bookworm.

I have been using ssh to login to remote machines for years. Many of which I
use a private key - so I just go "ssh machine-name" and login without needing
to give a password. To be able to do that I identify myself with ssh-add. I
even wrote a tutorial:

https://www.phcomp.co.uk/Tutorials/Unix-And-Linux/ssh-passwordless-login.html

I have disk hardware problems, I decided to reboot (first time in ~2 months) to
see if this would fix it (no it did not - I will buy a new one later). This
disk failure would not have affected the ssh problem.

So: After reboot (logging in again) I needed to re-identify myself and used
ssh-add as usual.

It tells me: Bad passphrase, try again for /home/addw/.ssh/id_rsa:

I tried many times, I know that I am entering the correct pass phrase. I have
not changed anything in ~/.ssh/ for 6 months. /home/addw/.ssh/id_rsa was
changed in 2020. I do have ssh-agent running.

I note that /usr/bin/ssh-add was updated on 28 July - a week ago.

Has anyone else had problems ?

Any suggestions on how to debug/fix this ?

Thanks in advance.


PS: recent changelog for openssh does not offer a clue:

openssh (1:9.2p1-2+deb12u7) bookworm; urgency=medium

   * Handle OpenSSL >=3 ABI compatibility; this helps to avoid new ssh
     connections failing during upgrades to trixie (closes: #1110030).

  -- Colin Watson <cjwatson@debian.org>  Mon, 28 Jul 2025 12:59:40 +0100



On 8/5/25 07:56, Alain D D Williams wrote:
> On Tue, Aug 05, 2025 at 02:49:30PM +0100, Alain Williams wrote:
>

>> So: After reboot (logging in again) I needed to re-identify myselfand used

>> ssh-add as usual.
>>
>> It tells me: Bad passphrase, try again for /home/addw/.ssh/id_rsa:
>> ...
>

> Life is too short ... I removed ~/.ssh/id_* and generated new ones,copied them

> over, it now all works.
>

> If anyone has a brilliant explanation of what went wrong I would beinterested.

>
> Only thing left to do: ssh-copy-id to various machines.
>
> Regards


AIUI SSH, RSA keys, and SHA-1 are now considered bad practice:

https://news.ycombinator.com/item?id=34196504

It could be that your old keys used SHA-1 and the updated ssh-add(1) wasrejecting them per a new policy (?).



AIUI "ed25519" keys are now preferred (untested code):

$ ssh-keygen -t ed25519


David

Reply to:

Follow-Ups:
- OpenSSH RSA keys are not deprecated (Was Re: ssh-add no longer accepts passphrase)
  - From: Andy Smith <andy@strugglers.net>
- Re: ssh-add no longer accepts passphrase
  - From: Alain D D Williams <addw@phcomp.co.uk>
- Re: ssh-add no longer accepts passphrase
  - From: Klaus Singvogel <deb-user-ml@singvogel.net>

References:
- ssh-add no longer accepts passphrase
  - From: Alain D D Williams <addw@phcomp.co.uk>

Prev by Date: Re: gphoto2 fails to operate on Debian 12
Next by Date: OpenSSH RSA keys are not deprecated (Was Re: ssh-add no longer accepts passphrase)
Previous by thread: Re: ssh-add no longer accepts passphrase
Next by thread: OpenSSH RSA keys are not deprecated (Was Re: ssh-add no longer accepts passphrase)
Index(es):
- Date
- Thread