ssh never ask for a password
Try to log in with Public Key Authentification disabled, using
ssh -o PubkeyAuthentication=no root@newserver
Most probably you have more than one identityfile lines on your .ssh/config file.
Even if you have identityfile under host configuration, it is applied globally. What that means is that ssh tries every identity file (i.e public key) on every host, before it asks for password prompt from the server.
You can fix this by
- Removing all but one
identityfilelines, or - Adding
PubkeyAuthentication noto.ssh/config, or - Executing ssh with
-o PubkeyAuthentication=noparameter.
From man 5 ssh_config:
PubkeyAuthentication
Specifies whether to try public key authentication. The argument to this
keyword must be “yes” or “no”. The default is “yes”. This option applies
to protocol version 2 only.
IdentityFile
...
It is possible to have multiple identity files specified in configuration
files; all these identities will be tried in sequence. Multiple
IdentityFile directives will add to the list of identities tried (this
behaviour differs from that of other configuration directives).
Some general instructions with public keys:
- In general, you should have only a single private key per client (workstation), and put matching public key to all servers that client should have access to. In other words, share public key between servers, and never use same private key on multiple devices.
- Always generate keypair on your device, and transmit only public key. That way, even if server is compromised, your private key is still safe and secure. This could happen in surprising ways - for example, through backups.
- If someone else administrates the server, you should provide a public key for them; they should not generate keypair and send private key to you. That way, they can't impersonate you with your key (of course, usually they can do whatever they want to). Also, with public key, only integrity (i.e someone did not change the public key) must be protected; with private key, confidentiality (i.e no-one else obtained the key) must be conserved, and it is not possible to be absolutely sure it was not compromised.
- Compromising a server does not compromise other servers, even if you use same private key for connecting to multiple servers (except if you transmitted that private key to the server. Never do that.)
- Compromising your workstation will expose your private keys anyway. Having multiple private keys does not help with this (except if you have different, strong passphrases, and not all of those are available for attacker).
There is some exceptions to this, but not too many.
Your local ssh shouldn't be asking you for a password, the ssh server on the other end should. It's likely that the server is set up to not accept password authentication. Mine wouldn't ask you for a password either.