Client-side public key causing mess

Elouan Keryell-Even elouan.keryell at
Wed Apr 20 17:33:26 AEST 2016

2016-04-19 15:18 GMT+02:00 Jakub Jelen <jjelen at>:

> On 04/19/2016 02:04 PM, Elouan Keryell-Even wrote:
>> However, on the client-side, if I add a ~/.ssh/ public key file
>> that doesn’t match  the private key file ~/.ssh/id_rsa, it will fail with
>> “Permission denied (publickey).”
> Why would you do that?

Well it just happened to me, though not in that order. I had old keys
id_rsa & files in my .ssh directory. I uploaded a new id_rsa
private key file (generated on another machine) to replace the old one.
However, the stayed the same, and I spent a looot of time to
figure out it was the cause of my problem.

> It seems weird to me that a public key on the client side is taken into
>> account, when it works well without.
> The pubkey authentication works in two steps.
>  * The first one is verification only with public key (cheap fast
> operation, which does not require to decode your private key and to enter
> pass-phrase).
>  * If the first succeeds (or there is not corresponding public key) then
> the server verifies if you have corresponding private key. If you provide
> signature with different private key, server will fail to verify the
> signature and fails.

 Ok, I understand better know. I guess my mistake was to upload only the
private key on the client side, while I should have uploaded both keys
(wiping out the unnecessary old config which was causing trouble).

> debug1: Next authentication method: publickey
>> debug1: Offering RSA public key: /root/.ssh/id_rsa
>> debug3: send_pubkey_test
>> debug2: we sent a publickey packet, wait for reply
>> debug1: Authentications that can continue: publickey
> It is certainly miss-configuration, but client should probably validate
> what data does it send. I played with similar issue few weeks ago. If I am
> right, it worked the same way in recent openssh versions. But I would not
> consider this as a high priority.

Thank you Jakub,


> --
> Jakub Jelen
> Security Technologies
> Red Hat

More information about the openssh-unix-dev mailing list