What does identity file type mean in SSH debug messages?
I've been debugging a SSH connection using the following command:
ssh -vT [email protected]
And I got the following messages:
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to smilescooter.com port 22.
debug1: Connection established.
debug1: identity file /Users/jerry/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jerry/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jerry/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jerry/.ssh/id_dsa-cert type -1
debug1: identity file /Users/jerry/.ssh/id_ecdsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jerry/.ssh/id_ecdsa-cert type -1
...
debug3: hostkeys_foreach: reading file "/Users/jerry/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/jerry/.ssh/known_hosts:19
debug3: load_hostkeys: loaded 1 keys from smilescooter.com
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
Luckily, the problem was fixed, but I am interested as what the "identity file file_route type n" mean, n here could be -1,0,1,2...
And what does the number(1/2/3..) after debug mean in the beginning of each debugging line?
I wouldn't ask it here if I had found results googling about this. There are a lot of results in google concerning SSH problem debugging, but no one seems to be talking about the two I've asked here.
Thank you so much in advance.
Solution 1:
Identity file is simply a private key (or cert), usually created by running ssh-keygen
. This will by default create an RSA key, but you can change that with the -t
option. According to your output, you have an RSA and an ECDSA key.
The number in identity file type .../.ssh/id_* type <number>
is just the integer value (zero based) of the sshkey_types enum and -1 meaning error (as with most POSIX functions). You can see that the file names contain also the key type:
enum sshkey_types {
KEY_RSA, // id_rsa has type 0
KEY_DSA, // id_dsa has type 1, but as you have no id_dsa key file, -1 is used
KEY_ECDSA, // id_ecdsa has type 2
...
The error messages key_load_public: No such file or directory after the identity file... messages is strange, it seems that the corresponding public key files got deleted. They carry the same file name as the private key with an added .pub
suffix. This is not tragic, as the public key can be regenerated from the private key (but not vice versa, for obvious reasons) with ssh-keygen -y
.
The debug output is explained in this nice Wikibooks article about OpenSSH logging. In short: The number in the debug[123]: ... line prefix indicates the debug level of the message behind it. It corresponds to the number of -v
s you gave on the command line (with 3 being the maximum). I.e., if you set -v
, debug1 messages will get printed, with -vv
you will get debug1 and debug2 etc. (It's a little strange that you get debug3 messages even though you only gave a single -v
, though)
Solution 2:
As the output suggests, "type n" is the internal ID of the key type (RSA, ECDSA, ED25519, etc.). The list can be seen in sshkey.c
.
Similarly, the n after debug
is the debug level. The output you have shown is for -vvv
, or debug logging up to level 3 (the maximum), hence debug1
, debug2
and debug3
.
The full details of both would generally be of use only to OpenSSH developers (primarily, OpenBSD developers), so I wouldn't expect this to be commonly discussed.