If a user has a password-protected private key and no corresponding <key>.pub available, ThinLinc client should always prompt for the password when trying to connect with public key authentication. For some reason, this does not happen when the user is not authorized to connect to the server. If the user IS authorized the prompt is shown, as it should.
This is a regression in 4.13.0 and was probably broken when ssh was upgraded in 7524. The same behavior is found with clients on Ubuntu 20.04, Windows 11 and macOS 12.1.
Use an unauthorized private key, that is password-protected, when trying to connect to the server.
- Make sure there is no <key>.pub in the same directory as the private key.
A password prompt should appear.
No password prompt, instead the message that the user is not authorized is shown directly.
This is the result of OpenSSH switching to using their own format for storing private keys, rather than using one of the existing PKCS formats. In their format, the public portion is always stored unencrypted before the (optionally) encrypted private key.
This fully explains the behaviour we are seeing, so there is no latent bug here.