Client-side public key causing mess
elouan.keryell at gmail.com
Wed Apr 20 17:33:26 AEST 2016
2016-04-19 15:18 GMT+02:00 Jakub Jelen <jjelen at redhat.com>:
> On 04/19/2016 02:04 PM, Elouan Keryell-Even wrote:
>> However, on the client-side, if I add a ~/.ssh/id_rsa.pub public key file
>> that doesn’t match the private key file ~/.ssh/id_rsa, it will fail with
>> “Permission denied (publickey).”
> Why would you do that?
Well it just happened to me, though not in that order. I had old keys
id_rsa & id_rsa.pub files in my .ssh directory. I uploaded a new id_rsa
private key file (generated on another machine) to replace the old one.
However, the id_rsa.pub stayed the same, and I spent a looot of time to
figure out it was the cause of my problem.
> It seems weird to me that a public key on the client side is taken into
>> account, when it works well without.
> The pubkey authentication works in two steps.
> * The first one is verification only with public key (cheap fast
> operation, which does not require to decode your private key and to enter
> * If the first succeeds (or there is not corresponding public key) then
> the server verifies if you have corresponding private key. If you provide
> signature with different private key, server will fail to verify the
> signature and fails.
Ok, I understand better know. I guess my mistake was to upload only the
private key on the client side, while I should have uploaded both keys
(wiping out the unnecessary old config which was causing trouble).
> debug1: Next authentication method: publickey
>> debug1: Offering RSA public key: /root/.ssh/id_rsa
>> debug3: send_pubkey_test
>> debug2: we sent a publickey packet, wait for reply
>> debug1: Authentications that can continue: publickey
> It is certainly miss-configuration, but client should probably validate
> what data does it send. I played with similar issue few weeks ago. If I am
> right, it worked the same way in recent openssh versions. But I would not
> consider this as a high priority.
Thank you Jakub,
> Jakub Jelen
> Security Technologies
> Red Hat
More information about the openssh-unix-dev