Unable to login for first time

Thank you for the report, the page has been updated to make login steps clearer on the pi, let me know if you are still blocked.

(setting the report as incomplete until the updated doc has been tested by the reporter)

the page should probably also mention that you need the secret bit of the ssh key on the machine you try to ssh from ...

I've had the same issue when trying to load on rpi3.
I always get a password prompt even though SSO is setup with SSH public key (RSA) on Ubuntu One and private key on SSH client systems (classic Ubuntu 16.04).

Here's the debug (-v) output from the ssh client session. It falls through to password method :-(.

xxxxxx@u1604:~$ ssh -v yyyyyy@10.0.80.145
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 10.0.80.145 [10.0.80.145] port 22.
debug1: Connection established.
debug1: identity file /home/xxxxxx/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xxxxxx/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xxxxxx/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xxxxxx/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xxxxxx/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xxxxxx/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xxxxxx/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xxxxxx/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.0.80.145:22 as 'yyyyyy'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: <email address hidden>
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: <email address hidden> MAC: <implicit> compression: none
debug1: kex: client->server cipher: <email address hidden> MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:WGx4rmOgFW1p7Fr5UGQmOi8V/8azjAgBZLS11q8FBWk
debug1: Host '10.0.80.145' is known and matches the ECDSA host key.
debug1: Found key in /home/xxxxxx/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/xxxxxx/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/xxxxxx/.ssh/id_dsa
debug1: Trying private key: /home/xxxxxx/.ssh/id_ecdsa
debug1: Trying private key: /home/xxxxxx/.ssh/id_ed25519
debug1: Next authentication method: password
yyyyyy@10.0.80.145's...

I followed the new instructions and was not sucessful. There are a few things that are unclear

1) The steps "Ubuntu Core first boot" are performed at the console, correct?
2) After following the instructions I'm prompted for a password. I used my Ubuntu SSO password but I get the message (after three tries) "Permission denied (publickey, password)". Which password is used when ssh:ing?
3) Using Putty to connect, does "private key file for authentication" need to be included?
4) Is it possible to login to the localhost console from a keyboard?

Thanks

> 1) The steps "Ubuntu Core first boot" are performed at the console, correct?

yes, serial or tty console

> 2) After following the instructions I'm prompted for a password. I used my Ubuntu SSO password but I get the message (after three tries) "Permission denied (publickey, password)". Which password is used when ssh:ing?

there is no password set, local logins are locked down intentionally, only ssh key authentication is allowed by default.

> 3) Using Putty to connect, does "private key file for authentication" need to be included?

i have never used putty but the option you mention sounds about right, the private key that was used for your Ubuntu One account needs to be used for logging in.

> 4) Is it possible to login to the localhost console from a keyboard?

not by default, once you logged in with your secret ssh key you can run "sudo passwd $USER" to enable a local console login if desired.

all this is part of the default snappy security concept so your IoT devices can not be captured by hackers via password cracking to be used in a bot net for DDoS attacks. like it happened in the recent "Mirai" attack...

Oliver: Thank you for the info. This is very helpful.

It would be great if this architecture was described somewhere.

A couple of new questions:
1) If I create an image for my Raspberry Pi 3, and go through all of the configuration steps but never login with ssh, then change my private key and update my public key with Ubuntu One. I assume that I need to login with ssh using my new private key, correct? The public key is not in the image, correct?
2) I assume that during the first login is the only time the Ubuntu Snappy contacts Ubuntu.com. It does not need to do this for every login, correct?
3) After logging in with ssh for the first time, is there a link that describes the process of updating the public key password on the Raspberry Pi?

Thanks again

On 10 November 2016 at 08:15, ME <email address hidden> wrote:

> Oliver: Thank you for the info. This is very helpful.
>
> It would be great if this architecture was described somewhere.
>
> A couple of new questions:
> 1) If I create an image for my Raspberry Pi 3, and go through all of the
> configuration steps but never login with ssh, then change my private key
> and update my public key with Ubuntu One. I assume that I need to login
> with ssh using my new private key, correct? The public key is not in the
> image, correct?
>

No, the configuration process installs the keys associated with your SSO
account at the time that you ran the configuration process. I believe the
plan is to have the keys kept in sync automatically but I don't know where
this is on the roadmap.

> 2) I assume that during the first login is the only time the Ubuntu Snappy
> contacts Ubuntu.com. It does not need to do this for every login, correct?
>

In fact, the only time contact is made is during the configuration process.
If the syncing I mentioned above gets implemented, contact will be made to
refresh the keys from time to time. No contact is made with login.ubuntu.com
during the actual process of logging in.

> 3) After logging in with ssh for the first time, is there a link that
> describes the process of updating the public key password on the Raspberry
> Pi?
>

It's just "sudo passwd $USER" as you would for any other unix system.

Cheers,
mwh

> Thanks again
>
> --
> You received this bug notification because you are a member of Snappy
> Developers, which is subscribed to Snappy.
> https://bugs.launchpad.net/bugs/1639646
>
> Title:
> Unable to login for first time
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/snappy/+bug/1639646/+subscriptions
>

[Expired for Snappy because there has been no activity for 60 days.]

hi, i guess i had a similar problem. the root cause was i copied the key from a console with: more .ssh/id_rsa.pub ,and it had line breaks/spaces in it. And the Ubuntu One GUI accepted as-is! It had some weird text on the keys page. When I re-imported the key without any unnecessary line breaks / spaces, the Ubuntu One GUI had only one line of link; and the PI3 started to work.