Better reporting for signature algorithm mismatch?
Brian Candler
b.candler at pobox.com
Thu Dec 5 22:45:27 AEDT 2024
On 05/12/2024 10:16, Jochen Bern wrote:
> ouldn't the extra output, even in cases where a different keypair
> succeeds later on, threaten to hose applications that expect the
> connection to be transparent (or fail completely)? As in, rsync, git,
> etc.?
>
I don't think it would be a problem. There are many other cases where
the ssh client inserts messages in normal operation, such as saying the
host key is unknown and prompting you to accept it, or
password/passphrase/keyboard-interactive authentication.
Also, the remote host itself can generate extra messages on stderr: on a
git push/pull for example, I often get messages such as what URL to use
to make a merge request. Any reasonable client is going to pass these
through.
> *If* the login fails *altogether*, however, doing a "post mortem" and
> adding a line to the effect of "oh, by the way, *one* of the keypairs
> failed only because of rare condition XY" could still be helpful.
That would be good enough. Something like "One or more keypairs could
not be used because no mutual signature algorithm". Ideally it would be
shown *before* the password prompt when falling back to password auth
after key auth has failed.
More information about the openssh-unix-dev
mailing list