openssh bugs - Feb 2012 - [Bug 1981] New: Trying to use ssh with a missing identity file gives no warnings

https://bugzilla.mindrot.org/show_bug.cgi?id=1981

             Bug #: 1981
           Summary: Trying to use ssh with a missing identity file gives
                    no warnings
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.2p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: mindrot.org at ch.pkts.ca


I attempted to set up a ~/.ssh/config entry that said 

Host firewall-link
  Hostname firewall.example.com
  IdentityFile /Home/username/.ssh/id_rsa_vpn
  User vpnuser

However, there was a typo in the IdentityFile line, so it specified the
wrong pathname (ie: no such file).  Do you want to know how long it
took to track down this error?  Too long!

You can only see the error message if you type 'ssh -d -d -d
firewall-link' (the maximum possible debug level), or use a system-call
tracing program (like strace) and compare good vs. bad sessions (if you
have a good one).

I'm unsure if this was a policy decision for security reasons ("Hide
failures"), but as it's an error on the client side, I fail to see the
security benefits of not printing "Identity file xxxxxxx not found" as
a warning just before moving on to the next authentication method.

Thanks!

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1981

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2012-03-09
10:24:43 EST ---
That code was added a long time ago, but it doesn't seem to be a
deliberate decision to hide the error.  I guess the question is: is a
non-existent identityfile always an error?

http://anoncvs.mindrot.org/index.cgi/openssh/sshconnect2.c?r1=1.34&r2=1.35

   - markus at cvs.openbsd.org 2001/03/10 12:48:27
     [sshconnect2.c]
     ignore nonexisting private keys; report rjmooney at mediaone.net

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1981

--- Comment #2 from Darren Tucker <dtucker at zip.com.au> 2012-03-09
10:41:59 EST ---
djm points out that we'd only want to do this for explicitly specified
IdentityFiles, not the implicit default ones.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1981

--- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2012-03-09
11:06:58 EST ---
Created attachment 2136
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2136
warn for missing user-provided IdentityFiles

Please try the attached patch.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1981

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1986

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.