[Bug 2776] New: SSH ignores explicitly specified id_rsa if id_rsa.pub doesn't match

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Sep 13 08:45:49 AEST 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2776

            Bug ID: 2776
           Summary: SSH ignores explicitly specified id_rsa if id_rsa.pub
                    doesn't match
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: amd64
                OS: Mac OS X
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: carlpaten at gmail.com

Note: throughout this report, I'm using "id_rsa" (resp. "id_rsa.pub")
as a stand-in for the default private (resp. public) key file.

What this issue looks like when you run into it:

    me at myHost:~$ cp -p .ssh/id_rsa .ssh/id_rsa2
    me at myHost:~$ ssh -i .ssh/id_rsa remoteHost # doesn't work           
    me at myHost:~$ ssh -i .ssh/id_rsa2 remoteHost # works

The only hint of exactly what is wrong (running with -v):

    debug1: Offering RSA public key: .ssh/id_rsa

versus

    debug1: Trying private key: .ssh/id_rsa2

The cause: id_rsa.pub doesn't match id_rsa. The client offers
id_rsa.pub to the remote host, is refused, and concludes that id_rsa
won't match.

Expected behaviour: the client should not assume that id_rsa.pub
matches id_rsa. Either this could be checked, or id_rsa.pub could be
generated from id_rsa every time.

(This might seem like a trivial problem, but it took me and a colleague
more than two hours to zero in on this and figure out. That looks
vaguely like a lower bound if you consider the relevant ServerFault
submissions.)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list