Bug 7307 - password protected public keys require a .pub file for quick auth failures
Summary: password protected public keys require a .pub file for quick auth failures
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client (show other bugs)
Version: 1.3.1
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Pierre Ossman
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-16 10:06 CET by Pierre Ossman
Modified: 2023-07-03 15:03 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio 2019-01-16 10:06:43 CET 
The public key authentication method has a function where the server and client can handshake if a key will be accepted, without having to actually unlock the key and perform the signature operation. This has the benefit of providing the user with an error message without having to enter the passphrase just to discover they don't have access.

However there is a hidden requirement for this to work, and that is that the private key file also has a corresponding public key file with the name <private key>.pub. We have not documented this requirement so users might easily end up in a situation where this function does not work.

If you are on the machine where you created the private key then this usually works ass ssh-keygen will create the .pub file for you. The problem arises when you've taken (just) your private key with you to a different machine.
Comment 1 Pierre Ossman cendio 2019-01-16 10:09:19 CET 
Note that the private key file does not have the necessary information, so we cannot change the requirement on a .pub file without losing compatibility with OpenSSH's keys. So what we can do here is document the requirement and perhaps add warnings to the log.
Comment 2 Pierre Ossman cendio 2023-07-03 15:03:02 CEST 
Note that this requirement looks to be on the way out. OpenSSH has a new format for private keys that always embeds the public key unencrypted. You can tell that it is the new format by looking for "-----BEGIN OPENSSH PRIVATE KEY-----" in the file.

ssh-keygen on Fedora generates in this format by default, and hopefully that is also the norm on other distributions.

Which means that this bug entry here would only be for older files.
Note You need to log in before you can comment on or make changes to this bug.