Bug 1694

Summary: If authorized_keys exists but can not be opened, this should be logged on server
Product: Portable OpenSSH Reporter: Rafał Maj <rafal.maj.it>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: minor CC: dtucker
Priority: P2    
Version: 5.1p1   
Hardware: All   
OS: Linux   
Bug Depends on:    
Bug Blocks: 1626    
Attachments:
Description Flags
More log/debug about why authorized_keys could not be used
none
ssh-pubkey-debug.patch none

Description Rafał Maj 2010-01-10 15:58:08 AEDT
If authorized_keys exists, but has chmod 000, or .ssh has chmod 000 or 600, or for other reason it can not be read by server, then there is little clue, in the logs, what is going on.

Just:
debug1: trying public key file /home/userfoo/.ssh/authorized_keys
debug1: restore_uid: 0/0

Admin should be informed that there was some problem accessing authorized_keys (other then not-existing file).
Comment 1 Rafał Maj 2010-01-10 16:04:18 AEDT
Also in Ubuntu https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/505301
Comment 2 Rafał Maj 2010-01-10 16:06:33 AEDT
Created attachment 1771 [details]
More log/debug about why authorized_keys could not be used

This will provide more information.

On DebugLevel INFO it will only inform when there was I/O error when accessing existing .ssh/authorized_keys file (like, 000 permitions etc)

On DEBUG3 it will also inform if the file simply was not existing to make full log clear about this.
Comment 3 Darren Tucker 2010-01-10 18:08:35 AEDT
The keyfile not existing is not unusual (it's the default state) and is probably not worth mentioning.  Adding a debug message for the rest seems reasonable as long as we don't editorialize too much.
Comment 4 Darren Tucker 2010-01-10 18:09:43 AEDT
Created attachment 1772 [details]
ssh-pubkey-debug.patch

Output a debug if we can't open an existing keyfile.
Comment 5 Darren Tucker 2010-01-10 18:18:51 AEDT
Patch #1772 has been applied and will be in the 5.4 release.  Thanks for the report.
Comment 6 Darren Tucker 2010-03-26 10:51:26 AEDT
With the release of 5.4p1, this bug is now considered closed.