summary: I have a situation in which a private RSA key has been corrupted, but it's still possible to log into a SSH server using that file. This is with OpenSSH 3.6.1p2 Debian. I have a SSH public/private key pair generated with "ssh-keygen -t rsa". I can use the private key to successfully log into a SSH server which has the public key in it's the authorized_keys file. I can also make a copy of the SSH private key, edit the file and change some characters, such as making them lowercase. Assuming that the ssh client will still read the file (which depends on where the file is corrupted) I can still use this corrupted file and STILL successfully log into the SSH server. Running openssl rsa -check on the corrupted private confirms it's corrupt: > $ openssl rsa -in rsa-corrupt1 -check > RSA key error: dmp1 not congruent to d > ... > $ I can understand the SSH client not checking that the private key is valid, but I would expect that this would be uncovered when the SSH server attempts to verify the signature? Anyone got a clue on how this is working, or am I just getting lucky on which part of the SSH private key I corrupt is not used for the signature? Thanks, Pete Flugstad
Circa 2003-11-13 09:22:10 -0600 dixit Pete Flugstad: : summary: I have a situation in which a private RSA key has been : corrupted, but it's still possible to log into a SSH server using that : file. This is with OpenSSH 3.6.1p2 Debian. : : I have a SSH public/private key pair generated with "ssh-keygen -t : rsa". I can use the private key to successfully log into a SSH server : which has the public key in it's the authorized_keys file. : : I can also make a copy of the SSH private key, edit the file and : change some characters, such as making them lowercase. Assuming that : the ssh client will still read the file (which depends on where the : file is corrupted) I can still use this corrupted file and STILL : successfully log into the SSH server. : : Running openssl rsa -check on the corrupted private confirms it's corrupt: : : > $ openssl rsa -in rsa-corrupt1 -check : > RSA key error: dmp1 not congruent to d : > ... : > $ : : I can understand the SSH client not checking that the private key is : valid, but I would expect that this would be uncovered when the SSH : server attempts to verify the signature? : : Anyone got a clue on how this is working, or am I just getting lucky : on which part of the SSH private key I corrupt is not used for the : signature? You sure you're not running ssh-agent with the (uncorrupted) key added to it? Can you reproduce this behavior on a -t rsa key that has a passphrase? -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "We have guided missiles and misguided men." --Martin Luther King, Jr.