Re: ssh-add no longer accepts passphrase

To: debian-user@lists.debian.org
Cc: Alain D D Williams <addw@phcomp.co.uk>
Subject: Re: ssh-add no longer accepts passphrase
From: Anders Andersson <pipatron@gmail.com>
Date: Fri, 8 Aug 2025 10:59:42 +0200
Message-id: <[🔎] CAKkunMbMn5J+REnX9T1WuBSqRaod0nt5QtLrE7quDX=MgCQROA@mail.gmail.com>
In-reply-to: <[🔎] aJKDYb4eVAyA15VY@phcomp.co.uk>
References: <[🔎] aJIL6nMfbJiGfy4n@phcomp.co.uk> <[🔎] 889d7d15-ee68-4868-ba4e-a4a70d485dd2@holgerdanske.com> <[🔎] aJKDYb4eVAyA15VY@phcomp.co.uk>

On Wed, Aug 6, 2025 at 12:19 AM Alain D D Williams <addw@phcomp.co.uk> wrote:
>
> In my investigations I did read a note somewhere that the only error that is
> given is "Bad passphrase" no matter what the error really is. This is crap
> coding of the highest order (high as in 'it stinks'), it is unfortunately all
> too common in a lot of s/ware - little effort made to give meaningful error
> messages.

I'm not sure it's the correct answer for this specific situation, but
in many sensitive authentication situations this is actually by
design.

The classic example is that you can check if someone has registered
their account at a "sensitive" website (whatever is sensitive or
illegal in your country) by just trying an email and a random
password. If the account exists it may show "Wrong password" and if it
doesn't it may show "No such user". Bingo, now you know if your
person-of-interest uses that website or not.

Reply to:

References:
- ssh-add no longer accepts passphrase
  - From: Alain D D Williams <addw@phcomp.co.uk>
- Re: ssh-add no longer accepts passphrase
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: ssh-add no longer accepts passphrase
  - From: Alain D D Williams <addw@phcomp.co.uk>

Prev by Date: Re: Including ' in a sed command
Next by Date: Re: Including ' in a sed command
Previous by thread: Re: ssh-add no longer accepts passphrase
Next by thread: Re: ssh-add no longer accepts passphrase
Index(es):
- Date
- Thread