Bug 2523 - An RSA private key file consistently gives "Badd Passphrase" errors, but worked before
Summary: An RSA private key file consistently gives "Badd Passphrase" errors, but work...
Status: CLOSED DUPLICATE of bug 2522
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-add (show other bugs)
Version: 7.1p1
Hardware: Other Linux
: P5 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on: 2522
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-09 11:07 AEDT by Tom Horsley
Modified: 2018-04-06 12:26 AEST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Horsley 2016-01-09 11:07:56 AEDT 
The ~/.ssh/identity file I've been using can no longer be loaded into the agent with the ssh-add program in my fedora 23 system which has:

openssh-clients-7.1p1-6.fc23.x86_64

The previous fedora 22 system with this version:

openssh-clients-6.9p1-9.fc22.x86_64

works fine with the same file.

File info:

The key size is 1024 bits.

The file header looks like:

zooty> od -c identity
0000000   S   S   H       P   R   I   V   A   T   E       K   E   Y    
0000020   F   I   L   E       F   O   R   M   A   T       1   .   1  \n

Naturally, this could be a bug in one of the zillion libraries loaded by ssh-add or even a compiler bug, but I figured I'd start with ssh-add since that's the program I run to get the error.

No doubt you'll want the actual file and passphrase, but it will take a while for me to make sure I've switched to a new key everywhere before I feel safe attaching that info here (and maybe someone else has already tracked down this bug if I'm unbelievably lucky :-).
Comment 1 Jakub Jelen 2016-01-11 19:03:20 AEDT 
opensssh-7.1 in Fedora is compiled without SSH1 support, because it is long broken and outdated.

If you really need to use SSH1, there is openssh-clients-ssh1 [1] package providing basic tools with SSH1 support (ssh1, scp1, ssh-keygen1). I didn't packaged ssh-agent and ssh-add with SSH1 support, because it should be rescue package and not something you should use regularly.

The announcement unfortunately somehow missed release notes [2]. I am really sorry for confusing you, but I hope you will find your use case.

[1] http://koji.fedoraproject.org/koji/rpminfo?rpmID=7130736
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1285374
Comment 2 Tom Horsley 2016-01-12 00:24:07 AEDT 
A more descriptive error than "bad passphrase" would make this more obvious :-).
Comment 3 Jakub Jelen 2016-03-18 20:23:27 AEDT 
FYI, the error message is caused by not-handling openssl errors. Every failure from openssl is considered as "bad passphrase" even though there are reasonable status messages. 

It is independently filled as a bug #2522 [1]. Feel free to close this bug as a duplicate of that one to bring some attention of developers. You are not the only one who is confused of this behaviour.

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2522
Comment 4 Damien Miller 2016-04-08 16:26:58 AEST 
The patch in bug 2522 improves the error message somewhat (it says "invalid format" now).
Comment 5 Damien Miller 2017-02-10 15:36:49 AEDT 
Fixed as part of bug 2522:

commit 155d540d00ff55f063421ec182ec8ff2b7ab6cbe
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Feb 10 04:34:50 2017 +0000

    upstream commit
    
    bring back r1.34 that was backed out for problems loading
    public keys:
    
    translate OpenSSL error codes to something more
    meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@
    
    with additional fix from Jakub Jelen to solve the backout.
    bz#2525 bz#2523 re-ok dtucker@
    
    Upstream-ID: a9d5bc0306f4473d9b4f4484f880e95f3c1cc031

*** This bug has been marked as a duplicate of bug 2522 ***
Comment 6 Damien Miller 2018-04-06 12:26:27 AEST 
Close all resolved bugs after release of OpenSSH 7.7.