openssh bugs - Sep 2008 - [Bug 1526] New: SSH key prompt if public key missing and pubkey auth fails

https://bugzilla.mindrot.org/show_bug.cgi?id=1526

           Summary: SSH key prompt if public key missing and pubkey auth
                    fails
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: Other
        OS/Version: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P4
         Component: ssh-agent
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: vgiffin at apple.com


If the public key corresponding to a SSH private key is not in ~/.ssh
and public key authentication fails, ssh will ask for your key's
password, even if it is has already been added to ssh-agent.

Steps to Reproduce:
1. Place a SSH private key with an associated password in ~/.ssh/.
2. Remove the corresponding .ssh/id_dsa.pub file.
3. SSH somewhere where the public key is authorized.
4. SSH somewhere where the public key is unauthorized.

Expected Results:
The public key authentication fails.

Actual Results:
A prompt appears requesting your key password.

Regression:
The password prompt does not appear if public-key auth is disabled
(e.g. "ssh -o PreferredAuthentications=password").

Notes:
When the public key file is missing, it seems SSH somehow thinks
there's a "phantom" key present, for which it's prompting. 
With
id_dsa.pub present, ssh -vv prints:

debug2: key: /Users/nicholas/.ssh/id_dsa (0x108680)
debug2: key: /Users/nicholas/.ssh/id_rsa (0x103280)
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/nicholas/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /Users/nicholas/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password).

With it absent, you get:

debug2: key: /Users/nicholas/.ssh/id_dsa (0x108ce0)
debug2: key: /Users/nicholas/.ssh/id_rsa (0x103280)
debug2: key: /Users/nicholas/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/nicholas/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /Users/nicholas/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/nicholas/.ssh/id_dsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
[dialog appears here]

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1526


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX
                 CC|                            |djm at mindrot.org




--- Comment #1 from Damien Miller <djm at mindrot.org>  2009-01-21
20:12:20 ---
I believe that this is not fixable - ssh needs the public key to
determine whether or not a particular key has been tried, but it cannot
extract this from a private key without decrypting it first, therefore
it needs to ask for the passphrase.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1526


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED




--- Comment #2 from Damien Miller <djm at mindrot.org>  2009-02-23
13:36:29 ---
Close bugs fixed/reviewed for openssh-5.2 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.