[Expired for openssh (Ubuntu) because there has been no activity for 60
days.]
** Changed in: openssh (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1991427
Title:
ssh doesn't offer identity files in the right order
Status in openssh package in Ubuntu:
Expired
Bug description:
"man ssh_config" claims that the "IdentityFile"s will be tried in
sequence:
IdentityFile
Specifies a file from which the user's DSA, ECDSA,
authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA au‐
thentication identity is read. The default is ~/.ssh/id_rsa,
~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519,
~/.ssh/id_ed25519_sk and ~/.ssh/id_dsa. Additionally, any identities
represented by the authentication agent will be used for
authentication unless IdentitiesOnly is set. If no certificates have
been explicitly specified by CertificateFile, ssh(1) will
try to load certificate information from the filename obtained by
appending -cert.pub to the path of a specified IdentityFile.
Arguments to IdentityFile may use the tilde syntax to refer to a
user's home directory or the tokens described in the TOKENS sec‐
tion.
It is possible to have multiple identity files specified in
configuration files; all these identities will be tried in sequence.
Multiple IdentityFile directives will add to the list of identities
tried (this behaviour differs from that of other configura‐
tion directives).
IdentityFile may be used in conjunction with IdentitiesOnly to select
which identities in an agent are offered during authentica‐
tion. IdentityFile may also be used in conjunction with
CertificateFile in order to provide any certificate also needed for au‐
thentication with the identity.
Yet it doesn't try them in the order specified ("id_ed25519-postfix"
comes before "id_ed25519" in my "~/.ssh/config"):
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_ed25519-postfix type 3
debug1: identity file /home/user/.ssh/id_ed25519-postfix-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type 3
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
...
debug1: Will attempt key: /home/user/.ssh/id_ed25519 ED25519
SHA256:<redacted> explicit agent
debug1: Will attempt key: /home/user/.ssh/id_ed25519-postfix ED25519
SHA256:<redacted> explicit agent
This causes the wrong key to be used for log in. This is especially
problematic when using Git over SSH, which causes the server to report
repository doesn't exist as the username are the same and the key
dictates the account being logged in, and instead of getting a
permission denied the server would give out a more confusing message,
misleading the direction the user goes to debug.
Ubuntu 22.04.1 with openssh-client 1:8.9p1-3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1991427/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
