Comment 2 for bug 501956

To summarize:

LogLevel INFO
RSAAuthentication yes
PubkeyAuthentication yes
HostbasedAthentication no
ChallengeResponseAuthentication no
PasswordAuthentication no
AllowUsers lukeskywalker

[1] The decision to log the error is made in procedure "auth_log" in "auth.c":
   /* Raise logging level */
   if (authenticated == 1 ||
       !authctxt->valid ||
       authctxt->failures >= options.max_authtries / 2 ||
       strcmp(method, "password") == 0)
           authlog = logit;

When account exists but does not have a trusted pubkey on the server the variables have the following values:

"auth_log" decision has the following values:
   authenticated ......... 0
   authctxt->valid ....... 1
   authctxt->failures .... 0
   options.max_authtries . 6
   method ................ publickey

Which translates to:
   if (0 == 1 ||
       ! 1 ||
       0 >= 6 / 2 ||
       1 == 0)
           authlog = logit;

So authlog cannot escalate to the logit function (nothing in auth.log)

I suggest ADDING the following change between "/* Raise logging level */" and the start of the if statement that immediately followed it:

  if (!authenticated &&
      authctxt-->valid &&
      strcmp(method, "publickey") == 0)
           authlog = logit;

There seems to be an alternative train of thought from the 2005 portable bug associated with this report. I guess that was never implemented (please add comments if you know the history).

Regards, Don.