openssh bugs - Jul 2025 - [Bug 3847] New: ssh client should *not* refuse pubkey authentication with RSA keys if the key *explicite* provided

https://bugzilla.mindrot.org/show_bug.cgi?id=3847

            Bug ID: 3847
           Summary: ssh client should *not* refuse pubkey authentication
                    with RSA keys if the key *explicite* provided
           Product: Portable OpenSSH
           Version: 9.2p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: szaszg at hu.inter.net

When we want to use SSH-RSA public key for authentication, ssh (and
sftp, scp) silently ignore our public key.

e.g.: ssh -i ~/.ssh/id_rsa user at ssh.host -p port

We just get a password prompt after a while.

There is no any sign, why not success with pubkey.

Even on debug level 3 there is no any sign:
debug1: Will attempt key: /home/gergely/.ssh/id_rsa RSA
SHA256:5T78zZgjVHggLl0uLsV0c+JgW+IYTCyzRknXIc4tnGY explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password

On the server we see that, the client never try with pubkey:

grep 'input_userauth_request' server-log-file
Jul 10 12:30:58 etl-app08 sshd[25252]: debug2: input_userauth_request:
setting up authctxt for user [preauth]
Jul 10 12:30:58 etl-app08 sshd[25252]: debug2: input_userauth_request:
try method none [preauth]
Jul 10 12:31:14 etl-app08 sshd[25252]: debug2: input_userauth_request:
try method password [preauth]
Jul 10 12:31:15 etl-app08 sshd[25252]: debug2: input_userauth_request:
try method password [preauth]
Jul 10 12:31:15 etl-app08 sshd[25252]: debug2: input_userauth_request:
try method password [preauth]

Client should use RSA key if explicitli provided (with -i) even if it
is "deprecated".

Or minimum should emitting a WARNING about that the program will not
use the given public key.

And the minimum-minimum-minimum is that at debug level 1, we should see
a clear message that the public key is not being used because it
believes this type of key is outdated and insecure but can be enabled
this way and that way...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3847

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Unfortunately your client log doesn't include the information we need.
Could you please attach a full log from the client?

Also, can you reproduce this problem with a more recent version?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.