openssh unix dev - Mar 2001 - passphrase for non existent key?

Hi there.  I'm being asked for a passphrase for a key file that does not
exist.

See debug output below.  Both client and server default to SSH2.  Creating a DSA
key without a password and copying the public
portion to the server's authorized_keys2 allowed me to login w/o a password.
I downloaded and installed the latest version of SSH
from OpenBSD CVS, and now its asking me for the passphrase to a non-existent RSA
key.  i.e. /home/rjmooney/.ssh/identity doesn't
exist on either end.  Nor does id_rsa.  Yet, I'm still being prompted.

IMO (and maybe this just a problem with the OpenBSD version), SSH should just
skip keys that don't exist.

- Rob

cafefx:~/.ssh$ ssh motion -v -v  -v
OpenSSH_2.5.1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: getuid 1000 geteuid 0 anon 1
debug1: Connecting to motion [x.x.x.x] port 22.
debug1: Connection established.
debug1: unknown identity file /home/rjmooney/.ssh/identity
debug1: identity file /home/rjmooney/.ssh/identity type -1
debug1: unknown identity file /home/rjmooney/.ssh/id_rsa
debug1: identity file /home/rjmooney/.ssh/id_rsa type -1
debug3: Bad RSA1 key file /home/rjmooney/.ssh/id_dsa.
debug1: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug1: key_type_from_name: unknown key type '-----END'
debug3: key_read: no key found
debug1: identity file /home/rjmooney/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_2.5.1
debug1: match: OpenSSH_2.5.1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.5.1
debug1: send KEXINIT
debug1: done
debug1: wait KEXINIT
debug1: got kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug1: got kexinit: ssh-dss
debug1: got kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-
cbc at lysator.liu.se
debug1: got kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-
cbc at lysator.liu.se
debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-md5-96
debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-md5-96
debug1: got kexinit: none,zlib
debug1: got kexinit: none,zlib
debug1: got kexinit:
debug1: got kexinit:
debug1: first kex follow: 0
debug1: reserved: 0
debug1: done
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST.
debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP.
debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP.
debug1: dh_gen_key: priv key bits set: 127/256
debug1: bits set: 1012/2049
debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT.
debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY.
debug1: Got SSH2_MSG_KEXDH_REPLY.
debug1: Host 'motion' is known and matches the DSA host key.
debug1: Found key in /home/rjmooney/.ssh/known_hosts2:1
debug1: bits set: 1032/2049
debug1: len 55 datafellows 0
debug1: ssh_dss_verify: signature correct
debug1: Wait SSH2_MSG_NEWKEYS.
debug1: GOT SSH2_MSG_NEWKEYS.
debug1: send SSH2_MSG_NEWKEYS.
debug1: done: send SSH2_MSG_NEWKEYS.
debug1: done: KEX2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive
debug3: start over, passed a different list
debug3: authmethod_lookup publickey
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /home/rjmooney/.ssh/identity
Enter passphrase for key '/home/rjmooney/.ssh/identity':
debug2: no passphrase given, try next key
debug1: try privkey: /home/rjmooney/.ssh/id_rsa
Enter passphrase for key '/home/rjmooney/.ssh/id_rsa':
debug2: no passphrase given, try next key
debug1: try pubkey: /home/rjmooney/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply

... at this point I am logged in.

BUG: SSH asks for a passphrase for non existent key.

Version:  OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f


If I "ssh -2" to a remote host and there is no
"authorized_keys2" at the
remote site
ssh asks for a passphrase for non existent key instead of falling back
to asking for a rlogin-password.

Same situation if you specify a non-existant userid:
   ssh -2 xyz at localhost
   ssh asks for secret passphrase of user "hops". Should ask for
password of "xyz"

"ssh -1" handles all this correctly.

- Peter



tarifa ~> ssh -2 -v xyz at localhost

OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
debug: Reading configuration data /home/hops/.ssh/config
debug: Applying options for *
debug: Reading configuration data /etc/ssh/ssh_config
debug: Applying options for *
debug: Rhosts Authentication disabled, originating port will not be
trusted.
debug: ssh_connect: getuid 129 geteuid 129 anon 1
debug: Connecting to localhost [127.0.0.1] port 22.
debug: Connection established.
debug: identity file /home/hops/.ssh/identity type 0
debug: identity file /home/hops/.ssh/id_rsa1 type 3
debug: identity file /home/hops/.ssh/id_dsa type 3
debug: Remote protocol version 1.99, remote software version
OpenSSH_2.5.1p1
debug: match: OpenSSH_2.5.1p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug: Local version string SSH-2.0-OpenSSH_2.5.1p1
debug: Seeded RNG with 57 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: send KEXINIT
debug: done
debug: wait KEXINIT
debug: got kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug: got kexinit: ssh-dss
debug: got kexinit:
3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc
at lysator.liu.se
debug: got kexinit:
3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc
at lysator.liu.se
debug: got kexinit:
hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-md5-96
debug: got kexinit:
hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-md5-96
debug: got kexinit: none,zlib
debug: got kexinit: none,zdebug: got kexinit: 
debug: got kexinit: 
debug: first kex follow: 0 
debug: reserved: 0 
debug: done
debug: kex: server->client 3des-cbc hmac-sha1 none
debug: kex: client->server 3des-cbc hmac-sha1 none
debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST.
debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP.
debug: Got SSH2_MSG_KEX_DH_GEX_GROUP.
debug: bits set: 535/1024
debug: Sending SSH2_MSG_KEX_DH_GEX_INIT.
debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY.
debug: Got SSH2_MSG_KEXDH_REPLY.
debug: Forcing accepting of host key for loopback/localhost.
debug: bits set: 521/1024
debug: len 55 datafellows 0
debug: ssh_dss_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue:
publickey,password,keyboard-interactive
debug: next auth method to try is publickey
debug: userauth_pubkey_agent: trying agent key .ssh/id_dsa
debug: authentications that can continue:
publickey,password,keyboard-interactive
debug: next auth method to try is publickey
debug: key does not exist: /home/hops/.ssh/id_rsa1
debug: try pubkey: /home/hops/.ssh/id_dsa
debug: PEM_read_PrivateKey failed
debug: read SSH2 private key done: name <no key> success 0
Enter passphrase for key '/home/hops/.ssh/id_dsa':


tarifa ~> ssh -1 -v xyz at localhost

OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
debug: Reading configuration data /home/hops/.ssh/config
debug: Applying options for *
debug: Reading configuration data /etc/ssh/ssh_config
debug: Applying options for *
debug: Rhosts Authentication disabled, originating port will not be
trusted.
debug: ssh_connect: getuid 129 geteuid 129 anon 1
debug: Connecting to localhost [127.0.0.1] port 22.
debug: Connection established.
debug: identity file /home/hops/.ssh/identity type 0
debug: identity file /home/hops/.ssh/id_rsa1 type 3
debug: identity file /home/hops/.ssh/id_dsa type 3
debug: Remote protocol version 1.99, remote software version
OpenSSH_2.5.1p1
debug: match: OpenSSH_2.5.1p1 pat ^OpenSSH
debug: Local version string SSH-1.5-OpenSSH_2.5.1p1
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Forcing accepting of host key for loopback/localhost.
debug: Seeded RNG with 57 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Encryption type: blowfish
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying RSA authentication via agent with 'hops at tarifa'
debug: Server refused our key.
debug: RSA authentication using agent refused.
debug: Trying RSA authentication with key 'hops at tarifa'
debug: Server refused our key.
debug: Doing password authentication.
xyz at localhost's password: 



-- 
     __o     Peter Seuffert
   _`\<,_    German National Research Center for Information Technology
(GMD)
  (_)/ (_)   Institute for Applied Information Technology (FIT.CSCW)
 ~~~~~~~~~~~ Schloss Birlinghoven, D-53754 St.Augustin, Germany
	     EMAIL: Seuffert at gmd.de PHONE: +49-2241-142868 FAX: +49-2241-142084

On Fri, Mar 16, 2001 at 02:45:32PM +0100, Peter Seuffert
wrote:
> BUG: SSH asks for a passphrase for non existent key.
you mean:
	 SSH asks for the passphrase of a key,
	 that is not allowed to login?

this has been fixed for the next release.

-m