Hi, today me and a friend of mine spent several hours figuring out why ssh still asked for a password after we set up public key authentication. We have tried to understand the problem by reading 'ssh -vvv ...', but unfortunately the output was not useful. In the end of the day we have found out that sshd actually was logging this problem.... So that's for the context. Now, can you please add some debugging information to ssh, so that the user is able to understand the problem by reading ssh -vvv which will be much mor helpful in comparison to sshd logging. Is there any reason you haven't done so already? Thanks Roman
On 11/18/2011 01:02 PM, Roman B. wrote:> Now, can you please add some debugging information to ssh, so that the > user is able to understand the problem by reading ssh -vvv which will > be much mor helpful in comparison to sshd logging. Is there any reason > you haven't done so already?the ssh client actually doesn't know what the problem is unless the server tells it. It's generally a bad idea for the server to publish that sort of detailed error message, especially when authentication has failed; this would be equivalent to publishing information about the user's home directory to anyone who asks. If the problem is on the server side, you'll need to read the server side logs to diagnose it, sorry! --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20111118/57a287fc/attachment.bin>
On Fri, Nov 18, 2011 at 11:02 AM, Roman B. <rbyshko at gmail.com> wrote:> Hi, > > today me and a friend of mine spent several hours figuring out why ssh > still asked for a password after we set up public key authentication. > We have tried to understand the problem by reading 'ssh -vvv ...', but > unfortunately the output was not useful. In the end of the day we have > found out that sshd actually was logging this problem.... So that's > for the context. > > Now, can you please add some debugging information to ssh, so that the > user is able to understand the problem by reading ssh -vvv which will > be much mor helpful in comparison to sshd logging. Is there any reason > you haven't done so already?Security mostly, also the fact that the error isn't on the client's side anyway, it's server side. The administrator would be able to find the error quickly, it's not user-solveable anyway. In the case ofa personal machine, you're both, so your responsibility is to check your logs. If you expose server side errors to the client you also give attackers more information. In this sort of a case the failure is ideally identical to wrong password and user does not exist from the clients point of view. Thus an attacker can't gain any information from this route. Yes yes yes, sounds silly, but, every layer helps. It's only a small part of a security model. -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler