1526 – SSH key prompt if public key missing and pubkey auth fails

Bug 1526 - SSH key prompt if public key missing and pubkey auth fails

Summary: SSH key prompt if public key missing and pubkey auth fails

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh-agent (show other bugs)
Version:	5.1p1
Hardware:	Other Mac OS X

Importance:	P4 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-09-20 04:51 AEST by Disco Vince Giffin
Modified:	2009-02-23 13:36 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Disco Vince Giffin 2008-09-20 04:51:34 AEST

If the public key corresponding to a SSH private key is not in ~/.ssh and public key authentication fails, ssh will ask for your key's password, even if it is has already been added to ssh-agent.

Steps to Reproduce:
1. Place a SSH private key with an associated password in ~/.ssh/.
2. Remove the corresponding .ssh/id_dsa.pub file.
3. SSH somewhere where the public key is authorized.
4. SSH somewhere where the public key is unauthorized.

Expected Results:
The public key authentication fails.

Actual Results:
A prompt appears requesting your key password.

Regression:
The password prompt does not appear if public-key auth is disabled (e.g. "ssh -o PreferredAuthentications=password").

Notes:
When the public key file is missing, it seems SSH somehow thinks there's a "phantom" key present, for which it's prompting.  With id_dsa.pub present, ssh -vv prints:

debug2: key: /Users/nicholas/.ssh/id_dsa (0x108680)
debug2: key: /Users/nicholas/.ssh/id_rsa (0x103280)
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/nicholas/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /Users/nicholas/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password).

With it absent, you get:

debug2: key: /Users/nicholas/.ssh/id_dsa (0x108ce0)
debug2: key: /Users/nicholas/.ssh/id_rsa (0x103280)
debug2: key: /Users/nicholas/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/nicholas/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /Users/nicholas/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/nicholas/.ssh/id_dsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
[dialog appears here]

Comment 1 Damien Miller 2009-01-21 20:12:20 AEDT

I believe that this is not fixable - ssh needs the public key to determine whether or not a particular key has been tried, but it cannot extract this from a private key without decrypting it first, therefore it needs to ask for the passphrase.

Comment 2 Damien Miller 2009-02-23 13:36:29 AEDT

Close bugs fixed/reviewed for openssh-5.2 release