ssh client should not ask for key passphrase when an unprotected key is available

Bug #815489 reported by Kasper Dupont
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
New
Low
Unassigned

Bug Description

When connecting to an ssh server, that will accept two different keys for authentication, and both of them are present in the .ssh directory on the client, the client will prefer to ask the user for a passphrase for a protected keyfile instead of using an unprotected keyfile.

Asking for a passphrase when none is needed is bad for user experience and for productivity.

More specifically what happens is that the ssh client will contact gnome-keyring-daemon to use a protected keyfile before it looks into the .ssh directory itself.

This decision in the ssh client makes more sense with the stock ssh-agent, where a key provided by the agent is unlocked by default. With gnome-keyring-daemon, by default the agent will list all the keys that are currently protected and none of those, that are unprotected.

A more appropriate order to test the keys in is:
1. Unprotected keys from ~/.ssh
2. Keys provided by the agent
3. Protected keys from ~/.ssh

This will give a reasonable behavior even without knowing if keys provided by the agent are protected or not. The problem is not specific to gnome-keyring-daemon, the same problem is present when using "ssh-add -c" with a standard ssh-agent.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: openssh-client 1:5.3p1-3ubuntu7
ProcVersionSignature: Ubuntu 2.6.32-33.70-generic 2.6.32.41+drm33.18
Uname: Linux 2.6.32-33-generic i686
Architecture: i386
Date: Sun Jul 24 18:54:44 2011
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04.3 LTS "Lucid Lynx" - Release i386 (20110720.1)
ProcEnviron:
 LANG=en_DK.utf8
 SHELL=/bin/bash
SourcePackage: openssh

Revision history for this message
Kasper Dupont (ubuntu-launchpad-feb) wrote :
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Hi Kaspar, thanks for taking the time to file a bug report!

Marking importance as Low, since this is mostly just a poorly chosen behavior, not necessarily wrong.

Changed in openssh (Ubuntu):
importance: Undecided → Low
Rolf Leggewie (r0lf)
Changed in openssh (Ubuntu):
status: New → Triaged
status: Triaged → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.