Client-side public key causing mess

Elouan Keryell-Even elouan.keryell at gmail.com
Wed Apr 20 17:33:26 AEST 2016


2016-04-19 15:18 GMT+02:00 Jakub Jelen <jjelen at redhat.com>:

> On 04/19/2016 02:04 PM, Elouan Keryell-Even wrote:
>
>> However, on the client-side, if I add a ~/.ssh/id_rsa.pub public key file
>> that doesn’t match  the private key file ~/.ssh/id_rsa, it will fail with
>> “Permission denied (publickey).”
>>
> Why would you do that?

Well it just happened to me, though not in that order. I had old keys
id_rsa & id_rsa.pub files in my .ssh directory. I uploaded a new id_rsa
private key file (generated on another machine) to replace the old one.
However, the id_rsa.pub stayed the same, and I spent a looot of time to
figure out it was the cause of my problem.

>
> It seems weird to me that a public key on the client side is taken into
>> account, when it works well without.
>>
> The pubkey authentication works in two steps.
>  * The first one is verification only with public key (cheap fast
> operation, which does not require to decode your private key and to enter
> pass-phrase).
>  * If the first succeeds (or there is not corresponding public key) then
> the server verifies if you have corresponding private key. If you provide
> signature with different private key, server will fail to verify the
> signature and fails.

 Ok, I understand better know. I guess my mistake was to upload only the
private key on the client side, while I should have uploaded both keys
(wiping out the unnecessary old config which was causing trouble).

>
> debug1: Next authentication method: publickey
>>
>> debug1: Offering RSA public key: /root/.ssh/id_rsa
>>
>> debug3: send_pubkey_test
>>
>> debug2: we sent a publickey packet, wait for reply
>>
>> debug1: Authentications that can continue: publickey
>>
> It is certainly miss-configuration, but client should probably validate
> what data does it send. I played with similar issue few weeks ago. If I am
> right, it worked the same way in recent openssh versions. But I would not
> consider this as a high priority.


Thank you Jakub,

Elouan

>
>
> --
> Jakub Jelen
> Security Technologies
> Red Hat
>
>


More information about the openssh-unix-dev mailing list