Bug#507478: ssh-client: ssh-RSA-auth-keys larger than 4609 bits fail to authenticate.
Package: openssh-client
Version: 1:5.1p1-4
Severity: normal
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (900, 'testing'), (700, 'unstable'), (500, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-client depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii dpkg 1.14.23 Debian package management system
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libedit2 2.11~20080614-1 BSD editline and history libraries
ii libkrb53 1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries
ii libncurses5 5.6+20080830-1 shared libraries for terminal hand
ii libssl0.9.8 0.9.8g-14 SSL shared libraries
ii passwd 1:4.1.1-6 change and administer password and
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages openssh-client recommends:
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.3-2 X authentication utility
Versions of packages openssh-client suggests:
pn keychain <none> (no description available)
pn libpam-ssh <none> (no description available)
pn ssh-askpass <none> (no description available)
-- no debconf information
When generating a ssh rsa key by invoking "ssh-keygen -b 4862" and afterwards copying/appending the public key to the .ssh/authorized_keys file on a remote server, the remote server still asked for a password. When using the same private key on a macintosh laptop, there is no password asked.
I tried to pin down the error, and found that the lower limit of non-working keysizes is 4610 bits. I also found an error in the /var/log/auth.log file:
RSA_public_decrypt failed: error:0407006A:lib(4):func(112):reason(106)
which corresponds to:
$ openssl errstr 0407006A
error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
at which point I feel overwhelmed to resolve any further.
Is this bug reproducible?
Thanks
Sebastian
Reply to: