openssh bugs - Mar 2017 - [Bug 2700] New: Missing PEM identity_file should be a fatal error

https://bugzilla.mindrot.org/show_bug.cgi?id=2700

            Bug ID: 2700
           Summary: Missing PEM identity_file should be a fatal error
           Product: Portable OpenSSH
           Version: 7.2p2
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jg at jguk.org

ssh -i "me.pem" ubuntu at myserver33.net
Warning: Identity file me.pem not accessible: No such file or
directory.
Permission denied (publickey).

I can see there is a 3 second wait before the "Permission denied
(publickey)." which is the connection to the myserver33.net

My thought is that this should be a fatal error, not just a warning.


Another note, the error is not accurate, as only a file is expected. ie
if open() on the file fails, errno is ENOENT, then it should say "No
such file"

"Identity file me.pem not accessible: No such file."

Thank you, Jonny

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2700

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to jg from comment #0)
> ssh -i "me.pem" ubuntu at myserver33.net
[...]
> My thought is that this should be a fatal error, not just a warning.
Well the connection may be able to succeed via some other key (eg from
an agent) or via another auth method (the client doesn't know what
methods the server will offer when it's parsing options).

As for whether a missing/unreadable key file should be a fatal error,
I'm not sure.  I can imagine it breaking otherwise working configs.
> Another note, the error is not accurate, as only a file is expected.
> ie if open() on the file fails, errno is ENOENT, then it should say
> "No such file"
ENOENT is not that specific.  If you specify a non-existent directory
(eg -i "/no/such/id") in which case that message would be wrong.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2700

--- Comment #2 from jg at jguk.org ---
Hi Darren
Thank you for your reply.

Yes, working configurations that still work after a missing
identity_file are specifically provided are impacted. I think if
someone specifies a file, it is expected to find it.. so let's change i
to fatal?

Re if a directory is specified, eg "my_dir" I think "Identity
file
my_dir not accessible: No such file." is still accurate isn't it?

can use stat() to check if it is a file or dir, S_ISDIR etc, if really
needed to give a secondary message to say:

"Identity file my_dir not accessible: Is a directory."

Other tools do handle correctly this situation:

$ objdump -d missing_file
objdump: 'missing_file': No such file

$ objdump -d my_dir
objdump: Warning: 'my_dir' is not an ordinary file

Added it to my blog
http://technoramauk.blogspot.com/2017/03/enoent-no-such-file-or-directory.html

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2700

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org
         Resolution|---                         |WONTFIX

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
We prefer the current behaviour for the reasons that Darren mentioned
and don't intend to change it.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2700

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.