[Bug 2617] sign_and_send_pubkey: no separate private key for certificate

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Nov 1 11:36:15 AEDT 2016


https://bugzilla.mindrot.org/show_bug.cgi?id=2617

Adam Eijdenberg <adam at continusec.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |adam at continusec.com

--- Comment #4 from Adam Eijdenberg <adam at continusec.com> ---
I found this bug after preparing a similar patch (including tests).

Although the patch provided here is simpler, it fails when using the
new CertificateFile configuration line (which was introduced in the
commit that broke the old behaviour).

e.g. the following config:

CertificateFile
/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa-cert.pub
IdentityFile /Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa

debug1: Offering RSA-CERT public key:
/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa-cert.pub
debug1: Server accepts key: pkalg ssh-rsa-cert-v01 at openssh.com blen
1540
debug1: sign_and_send_pubkey: no separate private key for certificate
"/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa-cert.pub"
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for
'/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa-cert.pub' are too
open.
It is required that your private key files are NOT accessible by
others.
This private key will be ignored.
Load key
"/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa-cert.pub": bad
permissions
debug1: Trying private key:
/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).

(and just changing the permissions didn't seem to help, it instead
prompted me for a password for the cert file, which doesn't need one)

Commenting out the explicit reference in config to CertificateFile
makes it work again.

Here is the alternate patch I had put together - it includes tests, and
also addresses a few other somewhat related issues:
https://github.com/openssh/openssh-portable/pull/53

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list