openssh bugs - May 2020 - [Bug 3173] New: spurious message about pubkey being invalid format

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

            Bug ID: 3173
           Summary: spurious message about pubkey being invalid format
           Product: Portable OpenSSH
           Version: 8.3p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: joe at joe-honton.com

Created attachment 3403
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3403&action=edit
verbose log of successful connection with load pubkey invalid format
message

After upgrading, I am receiving a warning from the client side of
OpenSSH during a successful connection to an OpenSSH Server.

load pubkey "/root/.ssh/digital-ocean-openssh": invalid format

My previous downstream OS was Fedora 31 (OpenSSH_8.1p1), where no such
message occurs. This begins to show up in Fedora 32 (OpenSSH_8.3p1).

The key file in question is an RSA private key in PEM format.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

Troels Arvin <troels at arvin.dk> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |troels at arvin.dk

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #1 from Troels Arvin <troels at arvin.dk> ---
It seems it's also seen with acrhlinux:
https://bugs.archlinux.org/task/66799

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
   Attachment #3403|application/octet-stream    |text/plain
          mime type|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Is there any corresponding /root/.ssh/digital-ocean-openssh.pub for the
/root/.ssh/digital-ocean-openssh private key?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #3 from Joe Honton <joe at joe-honton.com> ---
There is no corresponding public key file. The public key is derived
from the private key.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Private keys should have a corresponding pubkey file available as ssh
prefers to load and test the public key before loading the private key.

We might downgrade this error in a future release, but you can avoid it
either by converting that key to an OpenSSH-format private key file or
by making a standalone public key using "ssh-keygen -yf
/root/.ssh/digital-ocean-openssh >
/root/.ssh/digital-ocean-openssh.pub"

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #5 from Joe Honton <joe at joe-honton.com> ---
I can confirm that creating a separate public key file casues the
message to go away.

The command "ssh-keygen -yf /root/.ssh/digital-ocean-openssh >
/root/.ssh/digital-ocean-openssh.pub" correctly created a public key
file, and the ssh client found it without any changes to the config
file.

Thank you.

I will just note however that there was never a need for a separate
private key in any previous version of Fedora prior to version 33. I
have been successfully using a configuration with just the private key
since Fedora 6.

I've just now verified my Debian (OpenSSH_7.9p1), Ubuntu (OpenSSH_8.2p1
), Windows (OpenSSH_7.3p1), and Mac (OpenSSH_7.9p1) machines and see
that they also have been working without separate public key files.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Sure - the error is new but ssh will continue to work as it always has:
suboptimally if any of the private key files have passphrases on them
as it may prompt for a passphrase on a key that has no chance at
authentication success

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #7 from Joe Honton <joe at joe-honton.com> ---
Since I'm using a continuous integration pipeline that slings code
around all day long using git, which uses SSH, I have been encountering
this warning hundreds of times a day.  It was hard to see whether or
not my CI had any meaningful errors.

Is there a design rationale behind introducing this warning message
now, after all these years?  Have I been doing something unsafe without
knowing it?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

comm+openssh at squotd.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |comm+openssh at squotd.net

--- Comment #8 from comm+openssh at squotd.net ---
A standalone public key file does not make this go away.

The error comes from this:

https://github.com/openssh/openssh-portable/blob/3779b50ee952078018a5d9e1df20977f4355df17/sshkey.c#L3978

The buffer is being checked for "-----BEGIN OPENSSH PRIVATE KEY-----",
but it in fact (in my case) starts with "-----BEGIN RSA PRIVATE
KEY-----"

The identical identity file using openssh 7.9p1 produces no warning.

I'll add an attachment with the bt.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #9 from comm+openssh at squotd.net ---
Created attachment 3410
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3410&action=edit
stack on failing check in private2_uudecode

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #10 from comm+openssh at squotd.net ---
A fix has apparently been checked in.

https://blog.hqcodeshop.fi/archives/482-OpenSSH-8.3-client-fails-with-load-pubkey-invalid-format.html

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3173

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.