I have set up SSH keys, but logging in does not work or still asks for password
Puhti is used as an example for SSH key login in this example. The same steps apply for Mahti as well.
Roihu uses SSH keys together with time-limited SSH certificates. See Roihu-specific aspects of SSH at the end of the document, in the Roihu section.
Please check the following
- You have
added your SSH public key to MyCSC
and it is visible under SSH PUBLIC KEYS on your Profile page. Other ways
to upload your key are not supported.
- Ensure that the key you upload is formatted correctly. It should consist of the SSH key type, the key sequence and an optional comment, all separated by single spaces. Make sure to add the whole SSH key on the same line and do not add other whitespace than normal space characters. If your key is improperly formatted, an error message is displayed. A key in the correct format looks like this:
- The key fingerprint in MyCSC (starting with SHA256) matches the key you
have on your local machine. On Windows, the fingerprint of a loaded key
is shown in the Key section of MobaKeyGen or PuTTYgen. To check the
fingerprint on Linux or macOS, run the command:
If the fingerprint does not match the one in MyCSC, you have not added the
correct key. Output
<key file> is not a public key filemeans that the key you have is faulty. In both cases, it is easiest to create a new key pair and add the new public key to MyCSC. - If you have stored your SSH key file with a non-default name or in a
non-default location, you must tell the
sshcommand where to look for the key. When connecting from the terminal, use option-ias follows: - If
sshcommand still asks for a password, double check whether it is actually asking for a CSC password, or the key passphrase. If you have defined a passphrase for your key (strongly recommended), it is normal that you will need to enter it when connecting. This is different from your CSC account password. To avoid having to type the passphrase repeatedly, you may configure an authentication agent that can hold your keys in memory. - You have waited for at least one hour after adding the key to MyCSC. Syncing the data to CSC servers takes some time and may depend on the current load on the systems. To check if your public key has been synced, you may login to Puhti web interface, open a login node shell and run: For SSH login to work, the above file must exist and contain the key you are trying to use.
- On Linux and macOS, ensure that your
~/.sshfolder and private key file have 0700 and 0600 permissions, respectively. Example of correct permissions: To set correct permissions:
If everything above checks, and you are still unable to log in to Mahti and Puhti, please contact CSC Service Desk.
Roihu: Signing your SSH key
Roihu requires an SSH certificate together with an SSH key. Each certificate is valid for 24 hours at a time. After the certificate expires, you need to sign your SSH key again.
If you cannot log in to Roihu, check that:
- your public SSH key has been added to MyCSC
- you have signed the public key in MyCSC
- the certificate is still valid
- the certificate is saved on your local computer
- your SSH client is using the matching private key and certificate
These steps are done automatically with the certificate helper tool.
The certificate should normally be saved next to the private key using the name
<key>-cert.pub. For example, if your private key is:
With this file name, OpenSSH can usually find the certificate automatically.
If you still get the following error:
Received disconnect from 86.50.172.17 port 22:2: Too many authentication failures
Disconnected from 86.50.172.17 port 22
Your SSH client may be trying too many keys before it tries the correct one. Use the -i option to specify the correct key:
See CSC instructions for details on how you can sign your SSH key with a certificate.