[Bug 2617] sign_and_send_pubkey: no separate private key for certificate

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Nov 1 11:36:15 AEDT 2016


Adam Eijdenberg <adam at continusec.com> changed:

           What    |Removed                     |Added
                 CC|                            |adam at continusec.com

--- Comment #4 from Adam Eijdenberg <adam at continusec.com> ---
I found this bug after preparing a similar patch (including tests).

Although the patch provided here is simpler, it fails when using the
new CertificateFile configuration line (which was introduced in the
commit that broke the old behaviour).

e.g. the following config:

IdentityFile /Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa

debug1: Offering RSA-CERT public key:
debug1: Server accepts key: pkalg ssh-rsa-cert-v01 at openssh.com blen
debug1: sign_and_send_pubkey: no separate private key for certificate
Permissions 0644 for
'/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa-cert.pub' are too
It is required that your private key files are NOT accessible by
This private key will be ignored.
Load key
"/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa-cert.pub": bad
debug1: Trying private key:
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).

(and just changing the permissions didn't seem to help, it instead
prompted me for a password for the cert file, which doesn't need one)

Commenting out the explicit reference in config to CertificateFile
makes it work again.

Here is the alternate patch I had put together - it includes tests, and
also addresses a few other somewhat related issues:

You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list