2016-04-19 15:18 GMT+02:00 Jakub Jelen <jjelen@xxxxxxxxxx>: > On 04/19/2016 02:04 PM, Elouan Keryell-Even wrote: > >> However, on the client-side, if I add a ~/.ssh/id_rsa.pub public key file >> that doesn’t match the private key file ~/.ssh/id_rsa, it will fail with >> “Permission denied (publickey).” >> > Why would you do that? Well it just happened to me, though not in that order. I had old keys id_rsa & id_rsa.pub files in my .ssh directory. I uploaded a new id_rsa private key file (generated on another machine) to replace the old one. However, the id_rsa.pub stayed the same, and I spent a looot of time to figure out it was the cause of my problem. > > It seems weird to me that a public key on the client side is taken into >> account, when it works well without. >> > The pubkey authentication works in two steps. > * The first one is verification only with public key (cheap fast > operation, which does not require to decode your private key and to enter > pass-phrase). > * If the first succeeds (or there is not corresponding public key) then > the server verifies if you have corresponding private key. If you provide > signature with different private key, server will fail to verify the > signature and fails. Ok, I understand better know. I guess my mistake was to upload only the private key on the client side, while I should have uploaded both keys (wiping out the unnecessary old config which was causing trouble). > > debug1: Next authentication method: publickey >> >> debug1: Offering RSA public key: /root/.ssh/id_rsa >> >> debug3: send_pubkey_test >> >> debug2: we sent a publickey packet, wait for reply >> >> debug1: Authentications that can continue: publickey >> > It is certainly miss-configuration, but client should probably validate > what data does it send. I played with similar issue few weeks ago. If I am > right, it worked the same way in recent openssh versions. But I would not > consider this as a high priority. Thank you Jakub, Elouan > > > -- > Jakub Jelen > Security Technologies > Red Hat > > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
