Client-side public key causing mess

Jakub Jelen jjelen at redhat.com
Tue Apr 19 23:18:10 AEST 2016


On 04/19/2016 02:04 PM, Elouan Keryell-Even wrote:
> However, on the client-side, if I add a ~/.ssh/id_rsa.pub public key file
> that doesn’t match  the private key file ~/.ssh/id_rsa, it will fail with
> “Permission denied (publickey).”
Why would you do that?
> It seems weird to me that a public key on the client side is taken into
> account, when it works well without.
The pubkey authentication works in two steps.
  * The first one is verification only with public key (cheap fast 
operation, which does not require to decode your private key and to 
enter pass-phrase).
  * If the first succeeds (or there is not corresponding public key) 
then the server verifies if you have corresponding private key. If you 
provide signature with different private key, server will fail to verify 
the signature and fails.
> debug1: Next authentication method: publickey
>
> debug1: Offering RSA public key: /root/.ssh/id_rsa
>
> debug3: send_pubkey_test
>
> debug2: we sent a publickey packet, wait for reply
>
> debug1: Authentications that can continue: publickey
It is certainly miss-configuration, but client should probably validate 
what data does it send. I played with similar issue few weeks ago. If I 
am right, it worked the same way in recent openssh versions. But I would 
not consider this as a high priority.

-- 
Jakub Jelen
Security Technologies
Red Hat



More information about the openssh-unix-dev mailing list