[Bug 815489] [NEW] ssh client should not ask for key passphrase when an unprotected key is available

Kasper Dupont 815489 at bugs.launchpad.net
Sun Jul 24 17:11:26 UTC 2011 

Public bug reported:

When connecting to an ssh server, that will accept two different keys
for authentication, and both of them are present in the .ssh directory
on the client, the client will prefer to ask the user for a passphrase
for a protected keyfile instead of using an unprotected keyfile.

Asking for a passphrase when none is needed is bad for user experience
and for productivity.

More specifically what happens is that the ssh client will contact
gnome-keyring-daemon to use a protected keyfile before it looks into the
.ssh directory itself.

This decision in the ssh client makes more sense with the stock ssh-
agent, where a key provided by the agent is unlocked by default. With
gnome-keyring-daemon, by default the agent will list all the keys that
are currently protected and none of those, that are unprotected.

A more appropriate order to test the keys in is:
1. Unprotected keys from ~/.ssh
2. Keys provided by the agent
3. Protected keys from ~/.ssh

This will give a reasonable behavior even without knowing if keys
provided by the agent are protected or not. The problem is not specific
to gnome-keyring-daemon, the same problem is present when using "ssh-add
-c" with a standard ssh-agent.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: openssh-client 1:5.3p1-3ubuntu7
ProcVersionSignature: Ubuntu 2.6.32-33.70-generic 2.6.32.41+drm33.18
Uname: Linux 2.6.32-33-generic i686
Architecture: i386
Date: Sun Jul 24 18:54:44 2011
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04.3 LTS "Lucid Lynx" - Release i386 (20110720.1)
ProcEnviron:
 LANG=en_DK.utf8
 SHELL=/bin/bash
SourcePackage: openssh

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: apport-bug i386 lucid

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/815489

Title:
  ssh client should not ask for key passphrase when an unprotected key
  is available

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/815489/+subscriptions

More information about the Ubuntu-server-bugs mailing list