On 04/19/2016 02:04 PM, Elouan Keryell-Even wrote:
However, on the client-side, if I add a ~/.ssh/id_rsa.pub public key file
that doesn’t match the private key file ~/.ssh/id_rsa, it will fail with
“Permission denied (publickey).”
Why would you do that?
It seems weird to me that a public key on the client side is taken into
account, when it works well without.
The pubkey authentication works in two steps.
* The first one is verification only with public key (cheap fast
operation, which does not require to decode your private key and to
enter pass-phrase).
* If the first succeeds (or there is not corresponding public key)
then the server verifies if you have corresponding private key. If you
provide signature with different private key, server will fail to verify
the signature and fails.
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
It is certainly miss-configuration, but client should probably validate
what data does it send. I played with similar issue few weeks ago. If I
am right, it worked the same way in recent openssh versions. But I would
not consider this as a high priority.
--
Jakub Jelen
Security Technologies
Red Hat
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
