When attempting SSH authentication from a non-interactive environment (like an Apache user session), you might encounter this stubborn error:
read_passphrase: can't open /dev/tty: No such device or address
Permission denied (publickey)
This occurs even when using passwordless SSH keys with the -t flag. The root cause typically involves multiple factors including terminal allocation, key format, and host verification.
The debug output reveals critical authentication flow:
debug1: Offering RSA public key: nonpublic/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
This indicates the server accepts your public key but fails to process the private key. Common triggers include:
- PuTTY-generated keys in PPK format
- Incorrect file permissions (key must be 600)
- Missing host verification in known_hosts
If your key was generated with PuTTYgen, convert it to OpenSSH format:
# Install putty-tools if needed
sudo apt-get install putty-tools
# Convert PPK to OpenSSH format
puttygen id_rsa.ppk -O private-openssh -o id_rsaSet proper permissions:
chmod 600 id_rsa
chown apache_user:apache_group id_rsaFor Apache or cron environments, use this optimized command structure:
ssh -o BatchMode=yes \
-o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/path/to/custom_known_hosts \
-i /path/to/converted_key \
user@host command_to_runPre-populate known_hosts for non-interactive use:
ssh-keyscan -p 54367 localhost >> ~apache_user/.ssh/known_hostsAlternatively, use SSH config:
Host localhost
HostName localhost
Port 54367
User username
IdentityFile ~/nonpublic/id_rsa
StrictHostKeyChecking no- Verify key format with
file id_rsa - Check SELinux context if applicable
- Test with
ssh -vfor detailed logs - Ensure home directory permissions (711 for ~/.ssh)
When attempting SSH authentication from a non-interactive environment (like Apache running as www-data), you'll encounter:
read_passphrase: can't open /dev/tty: No such device or address
Permission denied (publickey)Let's examine the complete error pattern from the debug output (-v flag):
debug1: Offering RSA public key: nonpublic/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read_passphrase: can't open /dev/ttyThe fundamental issue stems from using a Putty-generated private key with OpenSSH. Putty uses its proprietary .ppk format, while OpenSSH expects PEM format.
Step 1: Convert Putty Key to OpenSSH Format
Install putty-tools if needed:
sudo apt-get install putty-tools # Debian/Ubuntu
sudo yum install putty # RHEL/CentOSConversion command:
puttygen nonpublic/id_rsa -O private-openssh -o openssh_keyStep 2: Verify Key Permissions
chmod 600 openssh_key
chown www-data:www-data openssh_keyStep 3: Update SSH Command
ssh -i /path/to/openssh_key \
-o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/srv/http/.ssh/known_hosts \
username@localhost command_to_runStep 4: Alternative Solution Using sshpass
If you must keep the Putty format temporarily:
sshpass -p "" ssh -i nonpublic/id_rsa \
-o BatchMode=yes \
username@localhost command_to_run| Format | Header | Putty Compatible | OpenSSH Compatible |
|---|---|---|---|
| Putty (.ppk) | PuTTY-User-Key-File-2 | Yes | No |
| OpenSSH (PEM) | -----BEGIN RSA PRIVATE KEY----- | No | Yes |
- Always generate keys using
ssh-keygenfor OpenSSH compatibility - Set proper permissions:
chmod 600for private keys - Use
-o BatchMode=yesto prevent interactive prompts - Configure
~/.ssh/configwith host-specific settings
Host myserver
HostName localhost
User username
Port 54367
IdentityFile ~/.ssh/openssh_key
StrictHostKeyChecking no