Client-side public key causing mess
Damien Miller
djm at mindrot.org
Fri Apr 22 17:41:10 AEST 2016
On Tue, 19 Apr 2016, Elouan Keryell-Even wrote:
> Hello,
>
> I have a client machine and a server machine. I generated a pair of
> private-public rsa keys using ssh-keygen.
>
> On the client-machine, I uploaded my private key onto ~/.ssh/id_rsa
>
> On the server machine, I appended the content of the public key to
> .ssh/authorized_keys
>
> I can successfully connect from the client to the server with that config.
>
> However, on the client-side, if I add a ~/.ssh/id_rsa.pub public key file
> that doesn’t match the private key file ~/.ssh/id_rsa, it will fail with
> “Permission denied (publickey).”
>
> Error on the server-side (sshd logs):
>
> error: RSA_public_decrypt failed:
> error:0407006A:lib(4):func(112):reason(106)
ssh uses the public key to avoid loading or decrypting the private
key for cases were it isn't necessary. We should improve the handling
of cases where they don't match.
diff --git a/sshconnect2.c b/sshconnect2.c
index 1cf48a2..5a27392 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1243,6 +1243,14 @@ load_identity_file(Identity *id)
quit = 1;
break;
}
+ if (private != NULL && id->key != NULL &&
+ !sshkey_equal(id->key, private)) {
+ error("Load key \"%s\": private key does not match "
+ "public key", id->filename);
+ sshkey_free(private);
+ private = NULL;
+ quit = 1;
+ }
if (!quit && private != NULL && id->agent_fd == -1 &&
!(id->key && id->isprivate))
maybe_add_key_to_agent(id->filename, private, comment,
More information about the openssh-unix-dev
mailing list