Re: Client-side public key causing mess

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, 19 Apr 2016, Elouan Keryell-Even wrote:

> Hello,
> 
> I have a client machine and a server machine. I generated a pair of
> private-public rsa keys using ssh-keygen.
> 
> On the client-machine, I uploaded my private key onto ~/.ssh/id_rsa
> 
> On the server machine, I appended the content of the public key to
> .ssh/authorized_keys
> 
> I can successfully connect from the client to the server with that config.
> 
> However, on the client-side, if I add a ~/.ssh/id_rsa.pub public key file
> that doesn’t match  the private key file ~/.ssh/id_rsa, it will fail with
> “Permission denied (publickey).”
> 
> Error on the server-side (sshd logs):
> 
> error: RSA_public_decrypt failed:
> error:0407006A:lib(4):func(112):reason(106)

ssh uses the public key to avoid loading or decrypting the private
key for cases were it isn't necessary. We should improve the handling
of cases where they don't match.

diff --git a/sshconnect2.c b/sshconnect2.c
index 1cf48a2..5a27392 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1243,6 +1243,14 @@ load_identity_file(Identity *id)
 			quit = 1;
 			break;
 		}
+		if (private != NULL && id->key != NULL &&
+		    !sshkey_equal(id->key, private)) {
+			error("Load key \"%s\": private key does not match "
+			    "public key", id->filename);
+			sshkey_free(private);
+			private = NULL;
+			quit = 1;
+		}
 		if (!quit && private != NULL && id->agent_fd == -1 &&
 		    !(id->key && id->isprivate))
 			maybe_add_key_to_agent(id->filename, private, comment,
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux