| Summary: | SSH ignores explicitly specified id_rsa if id_rsa.pub doesn't match | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | carlpaten <carlpaten> |
| Component: | ssh | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | CLOSED DUPLICATE | ||
| Severity: | minor | CC: | djm |
| Priority: | P5 | ||
| Version: | 7.4p1 | ||
| Hardware: | amd64 | ||
| OS: | Mac OS X | ||
We added an explicit error for that recently. It still refuses to accept the key (by intention), but it tells you: https://anongit.mindrot.org/openssh.git/commit/?id=c4972d0a9bd6f898462906b4827e09b7caea2d9b That change will be in the openssh-7.6 release *** This bug has been marked as a duplicate of bug 2737 *** closing resolved bugs as of 8.6p1 release |
Note: throughout this report, I'm using "id_rsa" (resp. "id_rsa.pub") as a stand-in for the default private (resp. public) key file. What this issue looks like when you run into it: me@myHost:~$ cp -p .ssh/id_rsa .ssh/id_rsa2 me@myHost:~$ ssh -i .ssh/id_rsa remoteHost # doesn't work me@myHost:~$ ssh -i .ssh/id_rsa2 remoteHost # works The only hint of exactly what is wrong (running with -v): debug1: Offering RSA public key: .ssh/id_rsa versus debug1: Trying private key: .ssh/id_rsa2 The cause: id_rsa.pub doesn't match id_rsa. The client offers id_rsa.pub to the remote host, is refused, and concludes that id_rsa won't match. Expected behaviour: the client should not assume that id_rsa.pub matches id_rsa. Either this could be checked, or id_rsa.pub could be generated from id_rsa every time. (This might seem like a trivial problem, but it took me and a colleague more than two hours to zero in on this and figure out. That looks vaguely like a lower bound if you consider the relevant ServerFault submissions.)