On 05/12/2024 10:16, Jochen Bern wrote:
ouldn't the extra output, even in cases where a different keypair
succeeds later on, threaten to hose applications that expect the
connection to be transparent (or fail completely)? As in, rsync, git,
etc.?
I don't think it would be a problem. There are many other cases where
the ssh client inserts messages in normal operation, such as saying the
host key is unknown and prompting you to accept it, or
password/passphrase/keyboard-interactive authentication.
Also, the remote host itself can generate extra messages on stderr: on a
git push/pull for example, I often get messages such as what URL to use
to make a merge request. Any reasonable client is going to pass these
through.
*If* the login fails *altogether*, however, doing a "post mortem" and
adding a line to the effect of "oh, by the way, *one* of the keypairs
failed only because of rare condition XY" could still be helpful.
That would be good enough. Something like "One or more keypairs could
not be used because no mutual signature algorithm". Ideally it would be
shown *before* the password prompt when falling back to password auth
after key auth has failed.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev