[Bug 1526] New: SSH key prompt if public key missing and pubkey auth fails

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Sep 20 04:51:35 EST 2008 

https://bugzilla.mindrot.org/show_bug.cgi?id=1526

           Summary: SSH key prompt if public key missing and pubkey auth
                    fails
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: Other
        OS/Version: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P4
         Component: ssh-agent
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: vgiffin at apple.com


If the public key corresponding to a SSH private key is not in ~/.ssh
and public key authentication fails, ssh will ask for your key's
password, even if it is has already been added to ssh-agent.

Steps to Reproduce:
1. Place a SSH private key with an associated password in ~/.ssh/.
2. Remove the corresponding .ssh/id_dsa.pub file.
3. SSH somewhere where the public key is authorized.
4. SSH somewhere where the public key is unauthorized.

Expected Results:
The public key authentication fails.

Actual Results:
A prompt appears requesting your key password.

Regression:
The password prompt does not appear if public-key auth is disabled
(e.g. "ssh -o PreferredAuthentications=password").

Notes:
When the public key file is missing, it seems SSH somehow thinks
there's a "phantom" key present, for which it's prompting.  With
id_dsa.pub present, ssh -vv prints:

debug2: key: /Users/nicholas/.ssh/id_dsa (0x108680)
debug2: key: /Users/nicholas/.ssh/id_rsa (0x103280)
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/nicholas/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /Users/nicholas/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password).

With it absent, you get:

debug2: key: /Users/nicholas/.ssh/id_dsa (0x108ce0)
debug2: key: /Users/nicholas/.ssh/id_rsa (0x103280)
debug2: key: /Users/nicholas/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/nicholas/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /Users/nicholas/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/nicholas/.ssh/id_dsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
[dialog appears here]

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list