Bug#939976: After unattended Upgrade of openssh-server from Release 1:7.4p1-10+deb9u6 to 1:7.4p1-10+deb9u7 no more Public Key Auth if 8K key is used
Package: openssh-server
Severity: normal
Tags: stretch
Steps to Reproduce:
1) Have a Debian Stretch amd64 in place
2) Have the packages openssh-* of previous release 1:7.4p1-10+deb9u6 installed:
apt install openssh-server=1:7.4p1-10+deb9u6 openssh-sftp-server=1:7.4p1-10+deb9u6 openssh-client=1:7.4p1-10+deb9u6
3) Have an 8k and a 16k ssh-key pair in place and install the public key on the test system
4) Login with the 8k private key: ssh -i /home/myhome/.ssh/id_rsa_8k
Result: login successful with public key authentication
5) Login with the 16k private key: ssh -i /home/myhome/.ssh/id_rsa_16k
Result: login successful with public key authentication
6) upgrade openssh-* packages to current release 1:7.4p1-10+deb9u7:
apt install openssh-server=1:7.4p1-10+deb9u7 openssh-sftp-server=1:7.4p1-10+deb9u7 openssh-client=1:7.4p1-10+deb9u7
7) Login with the 8k private key: ssh -i /home/myhome/.ssh/id_rsa_8k
Result: login fails: Permission denied (publickey).
8) 5) Login with the 16k private key: ssh -i /home/myhome/.ssh/id_rsa_16k
Result: login successful with public key authentication
Colleagues of mine use 4k key pairs which works fine with the current openssh-* release 1:7.4p1-10+deb9u7
Please have a look.
Thank you,
Jürgen
Reply to: