[Bug 2028282] Re: SSH pubkey authetication fails when GSSAPI enabled
Lukas Märdian
2028282 at bugs.launchpad.net
Mon Dec 16 10:48:13 UTC 2024
A reproducer for this got codified as of 1:9.9p1-2 (thanks to Colin
Watson). It's therefore included in Plucky and can be easily reproduced
on Oracular.
To reproduce, we can use the attached "dep8-verifier.diff" to add
corresponding autopkgtest improvements to Oracular, which is then
showing the very same "sign_and_send_pubkey: internal error: initial
hostkey not recorded" error on login:
$ autopkgtest -U -B . --test-name=ssh-gssapi -- lxd autopkgtest/ubuntu/oracular/amd64
autopkgtest [11:37:29]: starting date and time: 2024-12-16 11:37:29+0100
autopkgtest [11:37:29]: version 5.38ubuntu1~24.04.1
autopkgtest [11:37:29]: host abaconcy; command line: /usr/bin/autopkgtest -U -B . --test-name=ssh-gssapi -- lxd autopkgtest/ubuntu/oracular/amd64
autopkgtest [11:37:39]: testbed dpkg architecture: amd64
autopkgtest [11:37:39]: testbed apt version: 2.9.8
autopkgtest [11:37:39]: @@@@@@@@@@@@@@@@@@@@ test bed setup
[...]
autopkgtest [11:39:24]: test ssh-gssapi: [-----------------------
Generating public/private ed25519 key pair.
Your identification has been saved in /root/.ssh/id_ed25519
Your public key has been saved in /root/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:nfzzPGYVv5pAD0m7vBb9qFZvuo8U1tumvTK4wGEvIsk root at autopkgtest-lxd-coegkp
The key's randomart image is:
+--[ED25519 256]--+
| |
| |
| . |
| o..o .. |
| So+=.o .o|
| . . o =o=o. =|
| E . + =*o+o+|
| . . o++B*O |
| o+oO%+o|
+----[SHA256]-----+
## Setting up test environment
## Creating Kerberos realm EXAMPLE.FAKE
Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.FAKE',
master key name 'K/M at EXAMPLE.FAKE'
## Creating principals
Authenticating as principal root/admin at EXAMPLE.FAKE with password.
Principal "testuser1678 at EXAMPLE.FAKE" created.
Authenticating as principal root/admin at EXAMPLE.FAKE with password.
Principal "host/sshd-gssapi.example.fake at EXAMPLE.FAKE" created.
## Extracting service principal host/sshd-gssapi.example.fake
Authenticating as principal root/admin at EXAMPLE.FAKE with password.
Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/sshd-gssapi.example.fake with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
## Adjusting /etc/krb5.conf
## TESTS
## TEST test_gssapi_login
## Configuring sshd for gssapi-with-mic authentication
## Restarting ssh
## Obtaining TGT
Password for testuser1678 at EXAMPLE.FAKE:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser1678 at EXAMPLE.FAKE
Valid starting Expires Service principal
12/16/24 10:39:25 12/16/24 20:39:25 krbtgt/EXAMPLE.FAKE at EXAMPLE.FAKE
renew until 12/17/24 10:39:25
## ssh'ing into localhost using gssapi-with-mic auth
Warning: Permanently added 'sshd-gssapi.example.fake' (ED25519) to the list of known hosts.
Mon Dec 16 10:39:25 UTC 2024
## checking that we got a service ticket for ssh (host/)
12/16/24 10:39:25 12/16/24 20:39:25 host/sshd-gssapi.example.fake@
Ticket server: host/sshd-gssapi.example.fake at EXAMPLE.FAKE
## Checking ssh logs to confirm gssapi-with-mic auth was used
Dec 16 10:39:25 sshd-gssapi.example.fake sshd[1778]: Accepted gssapi-with-mic for testuser1678 from 127.0.0.1 port 41534 ssh2: testuser1678 at EXAMPLE.FAKE
## PASS test_gssapi_login
## TEST test_gssapi_keyex_login
## Configuring sshd for gssapi-keyex authentication
## Restarting ssh
## Obtaining TGT
Password for testuser1678 at EXAMPLE.FAKE:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser1678 at EXAMPLE.FAKE
Valid starting Expires Service principal
12/16/24 10:39:25 12/16/24 20:39:25 krbtgt/EXAMPLE.FAKE at EXAMPLE.FAKE
renew until 12/17/24 10:39:25
## ssh'ing into localhost using gssapi-keyex auth
Mon Dec 16 10:39:26 UTC 2024
## checking that we got a service ticket for ssh (host/)
12/16/24 10:39:25 12/16/24 20:39:25 host/sshd-gssapi.example.fake@
Ticket server: host/sshd-gssapi.example.fake at EXAMPLE.FAKE
## Checking ssh logs to confirm gssapi-keyex auth was used
Dec 16 10:39:26 sshd-gssapi.example.fake sshd[1861]: Accepted gssapi-keyex for testuser1678 from 127.0.0.1 port 41548 ssh2: testuser1678 at EXAMPLE.FAKE
## PASS test_gssapi_keyex_login
## TEST test_gssapi_keyex_pubkey_fallback
## Configuring sshd for gssapi-keyex authentication
## Restarting ssh
## Obtaining TGT
Password for testuser1678 at EXAMPLE.FAKE:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser1678 at EXAMPLE.FAKE
Valid starting Expires Service principal
12/16/24 10:39:26 12/16/24 20:39:26 krbtgt/EXAMPLE.FAKE at EXAMPLE.FAKE
renew until 12/17/24 10:39:26
## ssh'ing into localhost using gssapi-keyex auth
sign_and_send_pubkey: internal error: initial hostkey not recorded
## FAIL test_gssapi_keyex_pubkey_fallback
## Something failed
## klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser1678 at EXAMPLE.FAKE
Valid starting Expires Service principal
12/16/24 10:39:26 12/16/24 20:39:26 krbtgt/EXAMPLE.FAKE at EXAMPLE.FAKE
renew until 12/17/24 10:39:26
12/16/24 10:39:26 12/16/24 20:39:26 host/sshd-gssapi.example.fake@
renew until 12/17/24 10:39:26
Ticket server: host/sshd-gssapi.example.fake at EXAMPLE.FAKE
## ssh server log
Dec 16 10:39:25 sshd-gssapi.example.fake systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Dec 16 10:39:25 sshd-gssapi.example.fake sshd[1768]: Server listening on 0.0.0.0 port 22.
Dec 16 10:39:25 sshd-gssapi.example.fake sshd[1768]: Server listening on :: port 22.
Dec 16 10:39:25 sshd-gssapi.example.fake systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
Dec 16 10:39:25 sshd-gssapi.example.fake sshd[1778]: Authorized to testuser1678, krb5 principal testuser1678 at EXAMPLE.FAKE (krb5_kuserok)
Dec 16 10:39:25 sshd-gssapi.example.fake sshd[1778]: Accepted gssapi-with-mic for testuser1678 from 127.0.0.1 port 41534 ssh2: testuser1678 at EXAMPLE.FAKE
Dec 16 10:39:25 sshd-gssapi.example.fake sshd[1778]: pam_unix(sshd:session): session opened for user testuser1678(uid=1001) by testuser1678(uid=0)
Dec 16 10:39:25 sshd-gssapi.example.fake sshd[1778]: pam_systemd(sshd:session): New sd-bus connection (system-bus-pam-systemd-1778) opened.
Dec 16 10:39:25 sshd-gssapi.example.fake sshd[1778]: pam_unix(sshd:session): session closed for user testuser1678
Dec 16 10:39:25 sshd-gssapi.example.fake sshd[1778]: pam_systemd(sshd:session): New sd-bus connection (system-bus-pam-systemd-1778) opened.
Dec 16 10:39:25 sshd-gssapi.example.fake sshd[1768]: Received signal 15; terminating.
Dec 16 10:39:25 sshd-gssapi.example.fake systemd[1]: Stopping ssh.service - OpenBSD Secure Shell server...
Dec 16 10:39:25 sshd-gssapi.example.fake systemd[1]: ssh.service: Deactivated successfully.
Dec 16 10:39:25 sshd-gssapi.example.fake systemd[1]: Stopped ssh.service - OpenBSD Secure Shell server.
Dec 16 10:39:25 sshd-gssapi.example.fake systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Dec 16 10:39:25 sshd-gssapi.example.fake sshd[1851]: Server listening on 0.0.0.0 port 22.
Dec 16 10:39:25 sshd-gssapi.example.fake sshd[1851]: Server listening on :: port 22.
Dec 16 10:39:25 sshd-gssapi.example.fake systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
Dec 16 10:39:26 sshd-gssapi.example.fake sshd[1861]: Authorized to testuser1678, krb5 principal testuser1678 at EXAMPLE.FAKE (krb5_kuserok)
Dec 16 10:39:26 sshd-gssapi.example.fake sshd[1861]: Accepted gssapi-keyex for testuser1678 from 127.0.0.1 port 41548 ssh2: testuser1678 at EXAMPLE.FAKE
Dec 16 10:39:26 sshd-gssapi.example.fake sshd[1861]: pam_unix(sshd:session): session opened for user testuser1678(uid=1001) by testuser1678(uid=0)
Dec 16 10:39:26 sshd-gssapi.example.fake sshd[1861]: pam_systemd(sshd:session): New sd-bus connection (system-bus-pam-systemd-1861) opened.
Dec 16 10:39:26 sshd-gssapi.example.fake sshd[1861]: pam_unix(sshd:session): session closed for user testuser1678
Dec 16 10:39:26 sshd-gssapi.example.fake sshd[1861]: pam_systemd(sshd:session): New sd-bus connection (system-bus-pam-systemd-1861) opened.
Dec 16 10:39:26 sshd-gssapi.example.fake sshd[1851]: Received signal 15; terminating.
Dec 16 10:39:26 sshd-gssapi.example.fake systemd[1]: Stopping ssh.service - OpenBSD Secure Shell server...
Dec 16 10:39:26 sshd-gssapi.example.fake systemd[1]: ssh.service: Deactivated successfully.
Dec 16 10:39:26 sshd-gssapi.example.fake systemd[1]: Stopped ssh.service - OpenBSD Secure Shell server.
Dec 16 10:39:26 sshd-gssapi.example.fake systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Dec 16 10:39:26 sshd-gssapi.example.fake sshd[1951]: Server listening on 0.0.0.0 port 22.
Dec 16 10:39:26 sshd-gssapi.example.fake sshd[1951]: Server listening on :: port 22.
Dec 16 10:39:26 sshd-gssapi.example.fake systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
Dec 16 10:39:26 sshd-gssapi.example.fake sshd[1962]: Connection closed by authenticating user testuser1678-2 127.0.0.1 port 41554 [preauth]
## Kerberos KDC logs
Dec 16 10:39:21 autopkgtest-lxd-coegkp systemd[1]: Starting krb5-kdc.service - Kerberos 5 Key Distribution Center...
Dec 16 10:39:21 autopkgtest-lxd-coegkp (krb5kdc)[1422]: krb5-kdc.service: Referenced but unset environment variable evaluates to an empty string: DAEMON_ARGS
Dec 16 10:39:21 autopkgtest-lxd-coegkp krb5kdc[1422]: Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory - while initializing database for realm ATHENA.MIT.EDU
Dec 16 10:39:21 autopkgtest-lxd-coegkp krb5kdc[1422]: krb5kdc: cannot initialize realm ATHENA.MIT.EDU - see log file for details
Dec 16 10:39:21 autopkgtest-lxd-coegkp systemd[1]: krb5-kdc.service: Control process exited, code=exited, status=1/FAILURE
Dec 16 10:39:21 autopkgtest-lxd-coegkp systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Dec 16 10:39:21 autopkgtest-lxd-coegkp systemd[1]: Failed to start krb5-kdc.service - Kerberos 5 Key Distribution Center.
Dec 16 10:39:25 sshd-gssapi.example.fake systemd[1]: Starting krb5-kdc.service - Kerberos 5 Key Distribution Center...
Dec 16 10:39:25 sshd-gssapi.example.fake (krb5kdc)[1753]: krb5-kdc.service: Referenced but unset environment variable evaluates to an empty string: DAEMON_ARGS
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: preauth spake failed to initialize: No SPAKE preauth groups configured
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: setting up network...
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: Setting up UDP socket for address 0.0.0.0.750
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: Setting pktinfo on socket 0.0.0.0.750
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: Setting up UDP socket for address ::.750
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: setsockopt(10,IPV6_V6ONLY,1) worked
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: Setting pktinfo on socket ::.750
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: Setting up UDP socket for address 0.0.0.0.88
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: Setting pktinfo on socket 0.0.0.0.88
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: Setting up UDP socket for address ::.88
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: setsockopt(12,IPV6_V6ONLY,1) worked
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: Setting pktinfo on socket ::.88
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: Setting up TCP socket for address 0.0.0.0.88
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: Setting up TCP socket for address ::.88
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: setsockopt(14,IPV6_V6ONLY,1) worked
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1753]: set up 6 sockets
Dec 16 10:39:25 sshd-gssapi.example.fake systemd[1]: Started krb5-kdc.service - Kerberos 5 Key Distribution Center.
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1755]: commencing operation
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1755]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 127.0.0.1: NEEDED_PREAUTH: testuser1678 at EXAMPLE.FAKE for krbtgt/EXAMPLE.FAKE at EXAMPLE.FAKE, Additional pre-authentication required
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1755]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 127.0.0.1: ISSUE: authtime 1734345565, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, testuser1678 at EXAMPLE.FAKE for krbtgt/EXAMPLE.FAKE at EXAMPLE.FAKE
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1755]: TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 127.0.0.1: ISSUE: authtime 1734345565, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, testuser1678 at EXAMPLE.FAKE for host/sshd-gssapi.example.fake at EXAMPLE.FAKE
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1755]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 127.0.0.1: NEEDED_PREAUTH: testuser1678 at EXAMPLE.FAKE for krbtgt/EXAMPLE.FAKE at EXAMPLE.FAKE, Additional pre-authentication required
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1755]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 127.0.0.1: ISSUE: authtime 1734345565, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, testuser1678 at EXAMPLE.FAKE for krbtgt/EXAMPLE.FAKE at EXAMPLE.FAKE
Dec 16 10:39:25 sshd-gssapi.example.fake krb5kdc[1755]: TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 127.0.0.1: ISSUE: authtime 1734345565, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, testuser1678 at EXAMPLE.FAKE for host/sshd-gssapi.example.fake at EXAMPLE.FAKE
Dec 16 10:39:26 sshd-gssapi.example.fake krb5kdc[1755]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 127.0.0.1: NEEDED_PREAUTH: testuser1678 at EXAMPLE.FAKE for krbtgt/EXAMPLE.FAKE at EXAMPLE.FAKE, Additional pre-authentication required
Dec 16 10:39:26 sshd-gssapi.example.fake krb5kdc[1755]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 127.0.0.1: ISSUE: authtime 1734345566, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, testuser1678 at EXAMPLE.FAKE for krbtgt/EXAMPLE.FAKE at EXAMPLE.FAKE
Dec 16 10:39:26 sshd-gssapi.example.fake krb5kdc[1755]: TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 127.0.0.1: ISSUE: authtime 1734345566, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, testuser1678 at EXAMPLE.FAKE for host/sshd-gssapi.example.fake at EXAMPLE.FAKE
## Kerberos Admin server logs
Dec 16 10:39:22 autopkgtest-lxd-coegkp systemd[1]: Started krb5-admin-server.service - Kerberos 5 Admin Server.
Dec 16 10:39:22 autopkgtest-lxd-coegkp (kadmind)[1527]: krb5-admin-server.service: Referenced but unset environment variable evaluates to an empty string: DAEMON_ARGS
Dec 16 10:39:22 autopkgtest-lxd-coegkp kadmind[1527]: kadmind: Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory while initializing, aborting
Dec 16 10:39:22 autopkgtest-lxd-coegkp kadmind[1527]: Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory while initializing, aborting
Dec 16 10:39:22 autopkgtest-lxd-coegkp systemd[1]: krb5-admin-server.service: Main process exited, code=exited, status=1/FAILURE
Dec 16 10:39:22 autopkgtest-lxd-coegkp systemd[1]: krb5-admin-server.service: Failed with result 'exit-code'.
Dec 16 10:39:25 sshd-gssapi.example.fake systemd[1]: Started krb5-admin-server.service - Kerberos 5 Admin Server.
Dec 16 10:39:25 sshd-gssapi.example.fake (kadmind)[1754]: krb5-admin-server.service: Referenced but unset environment variable evaluates to an empty string: DAEMON_ARGS
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: No dictionary file specified, continuing without one.
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: setting up network...
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: Setting up UDP socket for address 0.0.0.0.464
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: Setting pktinfo on socket 0.0.0.0.464
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: Setting up UDP socket for address ::.464
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: setsockopt(10,IPV6_V6ONLY,1) worked
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: Setting pktinfo on socket ::.464
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: Setting up TCP socket for address 0.0.0.0.464
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: Setting up TCP socket for address ::.464
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: setsockopt(12,IPV6_V6ONLY,1) worked
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: Setting up RPC socket for address 0.0.0.0.749
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: Setting up RPC socket for address ::.749
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: setsockopt(14,IPV6_V6ONLY,1) worked
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: set up 6 sockets
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: kadmind: starting...
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: No dictionary file specified, continuing without one.
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: No dictionary file specified, continuing without one.
Dec 16 10:39:25 sshd-gssapi.example.fake kadmind[1754]: starting
## Skipping cleanup to facilitate troubleshooting
autopkgtest [11:39:26]: test ssh-gssapi: -----------------------]
autopkgtest [11:39:27]: test ssh-gssapi: - - - - - - - - - - results - - - - - - - - - -
ssh-gssapi FAIL non-zero exit status 253
autopkgtest [11:39:27]: @@@@@@@@@@@@@@@@@@@@ summary
ssh-gssapi FAIL non-zero exit status 253
** Patch added: "dep8-verifier.diff"
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028282/+attachment/5845545/+files/dep8-verifier.diff
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2028282
Title:
SSH pubkey authetication fails when GSSAPI enabled
Status in openssh package in Ubuntu:
Triaged
Status in openssh source package in Jammy:
New
Status in openssh source package in Noble:
New
Status in openssh source package in Oracular:
New
Status in openssh source package in Plucky:
Triaged
Status in openssh package in Debian:
Fix Released
Bug description:
Since the upgrade from Ubuntu 20.04 to 22.04 the SSH login via a SSH
pubkey to our servers fails, while password and kerberos are still
working.
$ssh user at server
sign_and_send_pubkey: internal error: initial hostkey not recorded
This seem related to the bugreport at openssh:
https://bugzilla.mindrot.org/show_bug.cgi?id=3406
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: openssh-server 1:8.9p1-3ubuntu0.1
ProcVersionSignature: Ubuntu 5.15.0-76.83-generic 5.15.99
Uname: Linux 5.15.0-76-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: pass
CloudArchitecture: x86_64
CloudID: none
CloudName: none
CloudPlatform: none
CloudSubPlatform: config
Date: Thu Jul 20 17:25:01 2023
InstallationDate: Installed on 2020-08-24 (1060 days ago)
InstallationMedia: Ubuntu-Server 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731)
SourcePackage: openssh
UpgradeStatus: Upgraded to jammy on 2023-07-20 (0 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028282/+subscriptions
More information about the foundations-bugs
mailing list