openssh bugs - Sep 2017 - [Bug 2776] New: SSH ignores explicitly specified id_rsa if id_rsa.pub doesn't match

https://bugzilla.mindrot.org/show_bug.cgi?id=2776

            Bug ID: 2776
           Summary: SSH ignores explicitly specified id_rsa if id_rsa.pub
                    doesn't match
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: amd64
                OS: Mac OS X
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: carlpaten at gmail.com

Note: throughout this report, I'm using "id_rsa" (resp.
"id_rsa.pub")
as a stand-in for the default private (resp. public) key file.

What this issue looks like when you run into it:

    me at myHost:~$ cp -p .ssh/id_rsa .ssh/id_rsa2
    me at myHost:~$ ssh -i .ssh/id_rsa remoteHost # doesn't work           
    me at myHost:~$ ssh -i .ssh/id_rsa2 remoteHost # works

The only hint of exactly what is wrong (running with -v):

    debug1: Offering RSA public key: .ssh/id_rsa

versus

    debug1: Trying private key: .ssh/id_rsa2

The cause: id_rsa.pub doesn't match id_rsa. The client offers
id_rsa.pub to the remote host, is refused, and concludes that id_rsa
won't match.

Expected behaviour: the client should not assume that id_rsa.pub
matches id_rsa. Either this could be checked, or id_rsa.pub could be
generated from id_rsa every time.

(This might seem like a trivial problem, but it took me and a colleague
more than two hours to zero in on this and figure out. That looks
vaguely like a lower bound if you consider the relevant ServerFault
submissions.)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2776

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |DUPLICATE

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
We added an explicit error for that recently. It still refuses to
accept the key (by intention), but it tells you:

https://anongit.mindrot.org/openssh.git/commit/?id=c4972d0a9bd6f898462906b4827e09b7caea2d9b

That change will be in the openssh-7.6 release

*** This bug has been marked as a duplicate of bug 2737 ***

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2776

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.