I attempted to set up a ~/.ssh/config entry that said Host firewall-link Hostname firewall.example.com IdentityFile /Home/username/.ssh/id_rsa_vpn User vpnuser However, there was a typo in the IdentityFile line, so it specified the wrong pathname (ie: no such file). Do you want to know how long it took to track down this error? Too long! You can only see the error message if you type 'ssh -d -d -d firewall-link' (the maximum possible debug level), or use a system-call tracing program (like strace) and compare good vs. bad sessions (if you have a good one). I'm unsure if this was a policy decision for security reasons ("Hide failures"), but as it's an error on the client side, I fail to see the security benefits of not printing "Identity file xxxxxxx not found" as a warning just before moving on to the next authentication method. Thanks!
That code was added a long time ago, but it doesn't seem to be a deliberate decision to hide the error. I guess the question is: is a non-existent identityfile always an error? http://anoncvs.mindrot.org/index.cgi/openssh/sshconnect2.c?r1=1.34&r2=1.35 - markus@cvs.openbsd.org 2001/03/10 12:48:27 [sshconnect2.c] ignore nonexisting private keys; report rjmooney@mediaone.net
djm points out that we'd only want to do this for explicitly specified IdentityFiles, not the implicit default ones.
Created attachment 2136 [details] warn for missing user-provided IdentityFiles Please try the attached patch.
Comment on attachment 2136 [details] warn for missing user-provided IdentityFiles ok djm >--- sshconnect2.c 29 May 2011 11:42:34 -0000 1.180 >+++ sshconnect2.c 9 Mar 2012 00:02:06 -0000 ... >+ if (userprovided) >+ logit("no such identity: %s: %s", filename, >+ strerror(errno)); >+ else >+ debug3("no such identity: %s: %s", filename, >+ strerror(errno)); I'd probably do this as: (userprovided ? logit : debug3)("no such identity: %s: %s", filename, strerror(errno)); but that's just a preference. >- debug2("key: %s (%p)", id->filename, id->key); >+ debug2("key: %s (%p), userprovided %d", id->filename, id->key, >+ id->userprovided); Maybe %s and (id->userprovided ? " explicit" : "")
Created attachment 2219 [details] updated patch with feedback
applied, thanks. it will be in the 6.2 release.
mark bugs closed by openssh-6.2 release as CLOSED