openssh bugs - Jan 2016 - [Bug 2523] New: An RSA private key file consistently gives "Badd Passphrase" errors, but worked before

https://bugzilla.mindrot.org/show_bug.cgi?id=2523

            Bug ID: 2523
           Summary: An RSA private key file consistently gives "Badd
                    Passphrase" errors, but worked before
           Product: Portable OpenSSH
           Version: 7.1p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-add
          Assignee: unassigned-bugs at mindrot.org
          Reporter: horsley1953 at gmail.com

The ~/.ssh/identity file I've been using can no longer be loaded into
the agent with the ssh-add program in my fedora 23 system which has:

openssh-clients-7.1p1-6.fc23.x86_64

The previous fedora 22 system with this version:

openssh-clients-6.9p1-9.fc22.x86_64

works fine with the same file.

File info:

The key size is 1024 bits.

The file header looks like:

zooty> od -c identity
0000000   S   S   H       P   R   I   V   A   T   E       K   E   Y    
0000020   F   I   L   E       F   O   R   M   A   T       1   .   1  \n

Naturally, this could be a bug in one of the zillion libraries loaded
by ssh-add or even a compiler bug, but I figured I'd start with ssh-add
since that's the program I run to get the error.

No doubt you'll want the actual file and passphrase, but it will take a
while for me to make sure I've switched to a new key everywhere before
I feel safe attaching that info here (and maybe someone else has
already tracked down this bug if I'm unbelievably lucky :-).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2523

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
opensssh-7.1 in Fedora is compiled without SSH1 support, because it is
long broken and outdated.

If you really need to use SSH1, there is openssh-clients-ssh1 [1]
package providing basic tools with SSH1 support (ssh1, scp1,
ssh-keygen1). I didn't packaged ssh-agent and ssh-add with SSH1
support, because it should be rescue package and not something you
should use regularly.

The announcement unfortunately somehow missed release notes [2]. I am
really sorry for confusing you, but I hope you will find your use case.

[1] http://koji.fedoraproject.org/koji/rpminfo?rpmID=7130736
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1285374

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2523

--- Comment #2 from Tom Horsley <horsley1953 at gmail.com> ---
A more descriptive error than "bad passphrase" would make this more
obvious :-).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2523

--- Comment #3 from Jakub Jelen <jjelen at redhat.com> ---
FYI, the error message is caused by not-handling openssl errors. Every
failure from openssl is considered as "bad passphrase" even though
there are reasonable status messages. 

It is independently filled as a bug #2522 [1]. Feel free to close this
bug as a duplicate of that one to bring some attention of developers.
You are not the only one who is confused of this behaviour.

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2522

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2523

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|                            |2522
                 CC|                            |djm at mindrot.org

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
The patch in bug 2522 improves the error message somewhat (it says
"invalid format" now).


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2522
[Bug 2522] Key parser should reflect errors from OpenSSL
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2523
Bug 2523 depends on bug 2522, which changed state.

Bug 2522 Summary: Key parser should reflect errors from OpenSSL
https://bugzilla.mindrot.org/show_bug.cgi?id=2522

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2523
Bug 2523 depends on bug 2522, which changed state.

Bug 2522 Summary: Key parser should reflect errors from OpenSSL
https://bugzilla.mindrot.org/show_bug.cgi?id=2522

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2523

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |DUPLICATE

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Fixed as part of bug 2522:

commit 155d540d00ff55f063421ec182ec8ff2b7ab6cbe
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Feb 10 04:34:50 2017 +0000

    upstream commit

    bring back r1.34 that was backed out for problems loading
    public keys:

    translate OpenSSL error codes to something more
    meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@

    with additional fix from Jakub Jelen to solve the backout.
    bz#2525 bz#2523 re-ok dtucker@

    Upstream-ID: a9d5bc0306f4473d9b4f4484f880e95f3c1cc031

*** This bug has been marked as a duplicate of bug 2522 ***

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2523
Bug 2523 depends on bug 2522, which changed state.

Bug 2522 Summary: Key parser should reflect errors from OpenSSL
https://bugzilla.mindrot.org/show_bug.cgi?id=2522

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |FIXED

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2523

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after release of OpenSSH 7.7.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.