When it comes to SSH and PubKey Authentication, it’s best to keep it as simple as possible unless you have a reason to drift from the norm. I can only speak from MacOS and Windows 10 at the moment as I don’t have a Linux box setup locally right now – only the remote Droplets.
I use Terminal on MacOS and PuTTy on Windows 10.
known_hosts file on MacOS does store basic information and that, of course, prevents having to confirm the host that I’m connecting to. Beyond that, the key itself is not cached on either system, so to login, the passphrase for the key must still be used unless there’s no passphrase setup for the key.
I personally wouldn’t use anything that caches the passphrase of my keys, even on my own systems as that is substantially less secure and allows anyone that can gain access the ability to login.
That being said, it’s hard to tell what’s going on. It looks like something is being executed after login (authentication) and it’s attempting to run something that would require
sudo, thus you’re being prompted to authenticate before whatever command is running tries to execute.
Using the details I provided above, your scenario is definitely not normal and shouldn’t happen unless you do have something that is set to run or execute after authentication, in which case, you’d need to find out what that is. It’s hard to tell when you’re just being prompted as it doesn’t provide any actual details on what’s going on.
In any normal circumstance, you’d run:
ssh user@host -i /path/to/privkey
Confirm (if it’s the first connection), or enter your passphrase (if one is set), and you’re in.
I can’t think of anything off the top of my heard that would log you in and then immediately attempt to get you to authenticate your
sudo user unless you’ve somehow been hacked and something is running in an attempt to gain your
sudo password, thus allowing an attacker to get what they’re after.
That’s just a guess, not a claim, and is only based on the information you’re providing.
To test, I would setup a simple 512MB Droplet and run though the configuration I provided. With it, you should confirm once, authenticate with or without a passphrase, and either login and be denied (if the details are not correct).