This is a very interesting question. First, let me explain how the whole process works:
- A public key is constructed from parts of the provided private key data at the SSH client.
- The public key is sent by the client to the SSH server, along with a user name and a signature created using the private key.
- The SSH server checks whether the public key it received is suitable for authentication of the user identified by the received user name. If it is not, the server reports an error to the client.
- The SSH server checks whether the received signature is correct. If it is, it proves that the client does in fact have access to the private key corresponding to the public key it sent.
(see RFC 4252 for details.)
This means that although a private key is provided to the Login
method, it never leaves the client machine and the server doesn't has access to it.
Now, let's discuss the current message and the suggested alternative:
-
"A supplied public key was not accepted by the server..."
Although the server did in fact reject a public key, you are right that this sounds a little off because there was no "supplied public key" from the point-of-view of the Login
method caller.
-
"A supplied private key was not accepted by the server..."
This is not correct either because the server never accepted or rejected any private key. It only got a public key to accept or reject and a signature to prove ownership of a private key.
What about the following error message? Although it's technically correct, it's somewhat long:
"A public key corresponding to the supplied private key was not accepted by the server or the user name is incorrect."
Any suggestions are welcome!