Bug 2700

Summary: Missing PEM identity_file should be a fatal error
Product: Portable OpenSSH Reporter: jg
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm, dtucker
Priority: P5    
Version: 7.2p2   
Hardware: Other   
OS: Linux   

Description jg 2017-03-27 17:12:51 AEDT 
ssh -i "me.pem" ubuntu@myserver33.net
Warning: Identity file me.pem not accessible: No such file or directory.
Permission denied (publickey).

I can see there is a 3 second wait before the "Permission denied (publickey)." which is the connection to the myserver33.net

My thought is that this should be a fatal error, not just a warning.


Another note, the error is not accurate, as only a file is expected. ie if open() on the file fails, errno is ENOENT, then it should say "No such file"

"Identity file me.pem not accessible: No such file."

Thank you, Jonny
Comment 1 Darren Tucker 2017-03-27 17:36:41 AEDT 
(In reply to jg from comment #0)
> ssh -i "me.pem" ubuntu@myserver33.net
[...]
> My thought is that this should be a fatal error, not just a warning.

Well the connection may be able to succeed via some other key (eg from an agent) or via another auth method (the client doesn't know what methods the server will offer when it's parsing options).

As for whether a missing/unreadable key file should be a fatal error, I'm not sure.  I can imagine it breaking otherwise working configs.

> Another note, the error is not accurate, as only a file is expected.
> ie if open() on the file fails, errno is ENOENT, then it should say
> "No such file"

ENOENT is not that specific.  If you specify a non-existent directory (eg -i "/no/such/id") in which case that message would be wrong.
Comment 2 jg 2017-03-27 17:57:06 AEDT 
Hi Darren
Thank you for your reply.

Yes, working configurations that still work after a missing identity_file are specifically provided are impacted. I think if someone specifies a file, it is expected to find it.. so let's change i to fatal?

Re if a directory is specified, eg "my_dir" I think "Identity file my_dir not accessible: No such file." is still accurate isn't it?

can use stat() to check if it is a file or dir, S_ISDIR etc, if really needed to give a secondary message to say:

"Identity file my_dir not accessible: Is a directory."

Other tools do handle correctly this situation:

$ objdump -d missing_file
objdump: 'missing_file': No such file

$ objdump -d my_dir
objdump: Warning: 'my_dir' is not an ordinary file

Added it to my blog
http://technoramauk.blogspot.com/2017/03/enoent-no-such-file-or-directory.html
Comment 3 Damien Miller 2018-04-06 12:31:23 AEST 
We prefer the current behaviour for the reasons that Darren mentioned and don't intend to change it.
Comment 4 Damien Miller 2021-04-23 15:03:34 AEST 
closing resolved bugs as of 8.6p1 release