Mailing List Archive

[Bug 3173] spurious message about pubkey being invalid format
https://bugzilla.mindrot.org/show_bug.cgi?id=3173

Troels Arvin <troels@arvin.dk> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |troels@arvin.dk

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3173] spurious message about pubkey being invalid format [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #1 from Troels Arvin <troels@arvin.dk> ---
It seems it's also seen with acrhlinux:
https://bugs.archlinux.org/task/66799

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3173] spurious message about pubkey being invalid format [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3173

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |djm@mindrot.org
Attachment #3403|application/octet-stream |text/plain
mime type| |

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3173] spurious message about pubkey being invalid format [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #2 from Damien Miller <djm@mindrot.org> ---
Is there any corresponding /root/.ssh/digital-ocean-openssh.pub for the
/root/.ssh/digital-ocean-openssh private key?

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3173] spurious message about pubkey being invalid format [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #3 from Joe Honton <joe@joe-honton.com> ---
There is no corresponding public key file. The public key is derived
from the private key.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3173] spurious message about pubkey being invalid format [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #4 from Damien Miller <djm@mindrot.org> ---
Private keys should have a corresponding pubkey file available as ssh
prefers to load and test the public key before loading the private key.

We might downgrade this error in a future release, but you can avoid it
either by converting that key to an OpenSSH-format private key file or
by making a standalone public key using "ssh-keygen -yf
/root/.ssh/digital-ocean-openssh >
/root/.ssh/digital-ocean-openssh.pub"

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3173] spurious message about pubkey being invalid format [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #5 from Joe Honton <joe@joe-honton.com> ---
I can confirm that creating a separate public key file casues the
message to go away.

The command "ssh-keygen -yf /root/.ssh/digital-ocean-openssh >
/root/.ssh/digital-ocean-openssh.pub" correctly created a public key
file, and the ssh client found it without any changes to the config
file.

Thank you.

I will just note however that there was never a need for a separate
private key in any previous version of Fedora prior to version 33. I
have been successfully using a configuration with just the private key
since Fedora 6.

I've just now verified my Debian (OpenSSH_7.9p1), Ubuntu (OpenSSH_8.2p1
), Windows (OpenSSH_7.3p1), and Mac (OpenSSH_7.9p1) machines and see
that they also have been working without separate public key files.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3173] spurious message about pubkey being invalid format [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #6 from Damien Miller <djm@mindrot.org> ---
Sure - the error is new but ssh will continue to work as it always has:
suboptimally if any of the private key files have passphrases on them
as it may prompt for a passphrase on a key that has no chance at
authentication success

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3173] spurious message about pubkey being invalid format [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #7 from Joe Honton <joe@joe-honton.com> ---
Since I'm using a continuous integration pipeline that slings code
around all day long using git, which uses SSH, I have been encountering
this warning hundreds of times a day. It was hard to see whether or
not my CI had any meaningful errors.

Is there a design rationale behind introducing this warning message
now, after all these years? Have I been doing something unsafe without
knowing it?

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3173] spurious message about pubkey being invalid format [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3173

comm+openssh@squotd.net changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |comm+openssh@squotd.net

--- Comment #8 from comm+openssh@squotd.net ---
A standalone public key file does not make this go away.

The error comes from this:

https://github.com/openssh/openssh-portable/blob/3779b50ee952078018a5d9e1df20977f4355df17/sshkey.c#L3978

The buffer is being checked for "-----BEGIN OPENSSH PRIVATE KEY-----",
but it in fact (in my case) starts with "-----BEGIN RSA PRIVATE
KEY-----"

The identical identity file using openssh 7.9p1 produces no warning.

I'll add an attachment with the bt.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3173] spurious message about pubkey being invalid format [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3173

--- Comment #9 from comm+openssh@squotd.net ---
Created attachment 3410
--> https://bugzilla.mindrot.org/attachment.cgi?id=3410&action=edit
stack on failing check in private2_uudecode

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs