A supplied private key was not accepted by the server or the user name is incorrect.

0 votes
asked May 9, 2011 by Tim Frison (130 points)
edited May 17, 2011

Currently (as of ~ 2.0.3854.0) an error message like: A supplied public key was not accepted by the server or the user name is incorrect.

Given that we provide a 'SshPrivateKey' to the sftp.Login method, shouldn't this error read: A supplied private key was not accepted by the server or the user name is incorrect. ??

The server definitely has the 'public key', so perhaps that is the intended message -- it just seems a little off.

Example Stack Trace: Could not authenticate with host 192.168.25.180. Possible reason: A supplied public key was not accepted by the server or the user name is incorrect. ---> Rebex.Net.SftpException: A supplied public key was not accepted by the server or the user name is incorrect. ---> Rebex.Net.SshException: A supplied public key was not accepted by the server or the user name is incorrect. at Rebex.Net.SshSession.cCIjvV(String , String , SshPrivateKey , SshGssApiCredentials )

Applies to: Rebex SFTP

1 Answer

+1 vote
answered May 10, 2011 by Lukas Pokorny (92,890 points)
edited May 17, 2011

This is a very interesting question. First, let me explain how the whole process works:

  1. A public key is constructed from parts of the provided private key data at the SSH client.
  2. The public key is sent by the client to the SSH server, along with a user name and a signature created using the private key.
  3. The SSH server checks whether the public key it received is suitable for authentication of the user identified by the received user name. If it is not, the server reports an error to the client.
  4. The SSH server checks whether the received signature is correct. If it is, it proves that the client does in fact have access to the private key corresponding to the public key it sent.

(see RFC 4252 for details.)

This means that although a private key is provided to the Login method, it never leaves the client machine and the server doesn't has access to it.

Now, let's discuss the current message and the suggested alternative:

  1. "A supplied public key was not accepted by the server..." Although the server did in fact reject a public key, you are right that this sounds a little off because there was no "supplied public key" from the point-of-view of the Login method caller.

  2. "A supplied private key was not accepted by the server..." This is not correct either because the server never accepted or rejected any private key. It only got a public key to accept or reject and a signature to prove ownership of a private key.

What about the following error message? Although it's technically correct, it's somewhat long:

"A public key corresponding to the supplied private key was not accepted by the server or the user name is incorrect."

Any suggestions are welcome!

commented May 10, 2011 by Tim Frison (130 points)
edited May 10, 2011

I do like your provided error message:

"A public key corresponding to the supplied private key was not accepted by the server or the user name is incorrect."

I favor a wordier error message (within reason) if it nails what the actual error is. The few attempts I made at shorter messages eliminated some aspects of the message, for example:

"Invalid user name or public key for the provided private key."

Doesn't mention the server.

I'm sold on your message.

commented May 17, 2011 by Lukas Pokorny (92,890 points)
edited May 17, 2011

I have just submitted the wordier error message to our development source code. It will appear in the next public release in a month or two. Thanks for bringing this to our attention!

...