[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#801150: openssh-client: PubkeyAuthentication not working when ~/.ssh/id_rsa.pub is present

retitle 801150 PubkeyAuthentication not working when ~/.ssh/id_rsa.pub is present

(I let you adjust the severity as you see fit)

Hi Colin, thanks for your prompt answer!

Colin Watson <cjwatson@debian.org> wrote:

> Do you have a good reason to still be using the RSAAuthentication
> option?  It's protocol 1 only, which has been obsolete for a decade or
> so, and your -vv transcript shows that you're using protocol 2 so
> RSAAuthentication cannot possibly work.  Since you're communicating with
> a server version that is substantially less than a decade old, there
> should be no reason to try to use protocol 1 with it.  The protocol 2
> equivalent is PubkeyAuthentication.

Ah, right, then I meant PubkeyAuthentication, sorry for the confusion.

> You will of course need to make sure that you aren't using an RSA1 key
> (ssh-keygen -t rsa1 vs. -t rsa).

I generated a new key with '-t rsa' but it doesn't change anything.
After some trial and error, I determined that authentication works iff I
rename ~/.ssh/id_rsa.pub to something else (e.g., 'disabled.pub', or
moved to a different directory). This is on the client, of course.

I got this idea because ssh-add(1) now says:

  After loading a private key, ssh-add will try to load
  corresponding certificate information from the filename obtained by
  appending -cert.pub to the name of the private key file.

so I first tried id_rsa-cert.pub, then found out that anything other
than ~/.ssh/id_rsa.pub appears to work. BTW, I have no idea what this
new -cert.pub suffix is about.

If you think this would be useful, I can send you logs of the sshd
server in debug mode by private mail.

Thanks for your support.


Reply to: