ssh-agent and id_dsa

Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE
Thu Mar 8 20:55:44 EST 2001


On Thu, Mar 08, 2001 at 12:56:43AM +0100, Markus Friedl wrote:
> On Tue, Feb 20, 2001 at 11:35:23PM +0100, Lutz Jaenicke wrote:
> > > perhaps i add handling of  SSH2_MSG_USERAUTH_PK_OK to the
> > > ssh client, but i'm not sure. 
> > 
> > We'll see :-)
> 
> ok try this:
> 
> this patch implements client side handling of SSH2_MSG_USERAUTH_PK_OK
> messages.
> 
> this means that the client can check whether the server will accept
> the public key and can delay the expensive signature operation until
> the server replies: "yes this key is valid for login".

Ok, I have applied the patch to today's CVS and it compiles fine.
I have now connected to the resulting OpenSSH server without ssh-agent,
it asked for my id_rsa key and the connection succeeded.
Output from slogin is:
...
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try pubkey: /home/aet/serv01/jaenicke/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001d8b8 hint 0
debug2: input_userauth_pk_ok: fp 04:c5:6a:dc:b9:44:e9:be:0a:5f:43:77:c5:49:21:83debug1: PEM_read_PrivateKey failed
debug1: read SSH2 private key done: name <no key> success 0
Enter passphrase for key '/home/aet/serv01/jaenicke/.ssh/id_rsa':
...

I have then started ssh-agent and loaded the id_rsa key. The connection failed
with
...
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: userauth_pubkey_agent: testing agent key /home/aet/serv01/jaenicke/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001da88 hint -1
debug1: next auth method to try is publickey
debug2: userauth_pubkey_agent: no more keys
debug2: userauth_pubkey_agent: no message sent
debug1: try pubkey: /home/aet/serv01/jaenicke/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
Disconnecting: protocol error: rcvd type 60
debug1: Calling cleanup 0x4000dffa(0x0)

On the serverside, this looked like:
...
debug2: input_userauth_request: try method none
Failed none for jaenicke from 141.43.132.151 port 1579 ssh2
debug1: userauth-request for user jaenicke service ssh-connection method publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: matching key found: file /home/aet/serv01/jaenicke/.ssh/authorized_keys2, line 2
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Postponed publickey for jaenicke from 141.43.132.151 port 1579 ssh2
debug1: userauth-request for user jaenicke service ssh-connection method publickey
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: matching key found: file /home/aet/serv01/jaenicke/.ssh/authorized_keys2, line 2
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Postponed publickey for jaenicke from 141.43.132.151 port 1579 ssh2
Received disconnect from 141.43.132.151: 2: protocol error: rcvd type 60
debug1: Calling cleanup 0x4000ec22(0x0)


I then wanted to retry with id_dsa instead of id_rsa, so I moved away my
id_rsa key (and even commented out the key in authorized_keys2), but
slogin insisted on asking me for the passphrase for a non-existant key...
(Ok, it did stop after the third attempt and advanced to the id_dsa key
which let me log in.)
The login then succeeded and it did succeed as well with ssh-agent this
time. (I have ommitted the logs to keep this email reasonably short.)

Anything more you need?
	Lutz
-- 
Lutz Jaenicke                             Lutz.Jaenicke at aet.TU-Cottbus.DE
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153





More information about the openssh-unix-dev mailing list