[Bug 2028282] Re: [SRU] SSH pubkey authetication fails when GSSAPI enabled
Lukas Märdian
2028282 at bugs.launchpad.net
Tue Jan 7 09:42:20 UTC 2025
I tested openssh (1:9.7p1-7ubuntu4.1) from oracular proposed, according
to TestCase1 (comment #14) and TestCase2 (this comment). All looking
good!
[ Test Case 2 ]
###Set up an Oracular LXD container & install openssh-server from proposed:
root at oosru:~# apt list *openssh-server*
openssh-server/oracular-proposed,now 1:9.7p1-7ubuntu4.1 amd64 [installed]
root at oosru:~# adduser test
info: Adding user `test' ...
info: Selecting UID/GID from range 1000 to 59999 ...
info: Adding new group `test' (1001) ...
info: Adding new user `test' (1001) with group `test (1001)' ...
info: Creating home directory `/home/test' ...
info: Copying files from `/etc/skel' ...
New password: [test]
Retype new password: [test]
passwd: password updated successfully
### Adopt SSH config & restart service
root at oosru:~# vim /etc/ssh/sshd_config.d/60-cloudimg-settings.conf
root at oosru:~# grep -R PasswordAuthentication /etc/ssh/
/etc/ssh/ssh_config:# PasswordAuthentication yes
/etc/ssh/sshd_config.d/60-cloudimg-settings.conf:PasswordAuthentication yes
/etc/ssh/sshd_config:#PasswordAuthentication yes
/etc/ssh/sshd_config:# PasswordAuthentication. Depending on your PAM configuration,
/etc/ssh/sshd_config:# PAM authentication, then enable this but set PasswordAuthentication
root at oosru:~# systemctl restart ssh.service
root at oosru:~# ip a show eth0
548: eth0 at if549: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:16:3e:d1:bc:18 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.238.94.46/24 metric 100 brd 10.238.94.255 scope global dynamic eth0
valid_lft 3221sec preferred_lft 3221sec
inet6 fd42:7213:f20e:bd74:216:3eff:fed1:bc18/64 scope global mngtmpaddr noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fed1:bc18/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
### From the host (password login OK):
$ ssh test at 10.238.94.46
test at 10.238.94.46's password: [test]
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
test at oosru:~$ ssh-import-id-lp slyon
2025-01-07 09:38:45,613 INFO Authorized key ['4096', 'SHA256:sciOAYEEOgZuev6e/fxLpojXxsiZsJPzn1Jk8LaYvVg', 'lukas.maerdian at canonical.com', '(RSA)']
2025-01-07 09:38:45,613 INFO [1] SSH keys [Authorized]
### From the host (pubkey login OK):
$ ssh -i ~/.ssh/canonical_id_rsa test at 10.238.94.46
Enter passphrase for key '/home/lukas/.ssh/canonical_id_rsa':
Welcome to Ubuntu 24.10 (GNU/Linux 6.8.0-49-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Tue Jan 7 09:39:47 UTC 2025
System load: 0.94
Usage of /: 89.2% of 195.80GB
Memory usage: 0%
Swap usage: 0%
Temperature: 47.0 C
Processes: 26
Users logged in: 0
IPv4 address for eth0: 10.238.94.46
IPv6 address for eth0: fd42:7213:f20e:bd74:216:3eff:fed1:bc18
=> / is using 89.2% of 195.80GB
7 updates can be applied immediately.
4 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Last login: Tue Jan 7 09:37:48 2025 from 10.238.94.1
test at oosru:~$
=> All working as expected!
** Tags removed: verification-needed-oracular
** Tags added: verification-done-oracular
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2028282
Title:
[SRU] SSH pubkey authetication fails when GSSAPI enabled
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Jammy:
Triaged
Status in openssh source package in Noble:
Triaged
Status in openssh source package in Oracular:
Fix Committed
Status in openssh source package in Plucky:
Fix Released
Status in openssh package in Debian:
Fix Released
Bug description:
[ Impact ]
* Login with publickey fails when openssh server is configured to use
GSSAPI authentication, too. Error: "sign_and_send_pubkey: internal
error: initial hostkey not recorded"
* To trigger it, one needs to (a) perform a successful GSSAPI key
exchange, (b) attempt public key authentication.
* In addition, the client and the server must both have the hostbound
authentication protocol extension enabled for the problem to manifest
itself (On by default).
* This is not a very common combination, but it can happen if one has
Kerberos credentials for the correct realm but the wrong user, and a
private key for the right user.
* This SRU fixes this by adding an additional
"ssh->kex->initial_hostkey != NULL" check in
sshconnect2.c:sign_and_send_pubkey(), as suggested by upstream in
https://bugzilla.mindrot.org/show_bug.cgi?id=3406 (comment 2).
[ Test Plan ]
The reproducer was codified in autopkgtests, thanks to Colin Watson!
* Make sure to have the latest debian/tests/ssh-gssapi test case
(included as of 1:9.9p1-2, and shipped as part of this SRU),
especially the delta described in
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028282/+attachment/5845545/+files/dep8-verifier.diff
* Execute the "ssh-gssapi" dep8 test:
$ autopkgtest -U openssh --apt-pocket=proposed=src:openssh --test-name=ssh-gssapi -- lxd autopkgtest/ubuntu/oracular/amd64
* Confirm the log contains 3 login attempts, with the final one using the "publickey" authentication method ("Accepted publickey for testuser..."):
"""
## Checking ssh logs to confirm publickey auth was used
Dec 14 22:44:16 sshd-gssapi.example.fake sshd-session[2213]: Accepted publickey for testuser2020-2 from 127.0.0.1 port 43364 ssh2: ED25519 SHA256:7vF3468XCZOawompwDThLsGsnPoUaP5Ki/3KaQLq/2M
## PASS test_gssapi_keyex_pubkey_fallback
"""
[ Test Plan 2 ]
* In addition to the codified test for this specific issue, we want
to confirm normal password and publickey login are still working as
expected.
* Enable "PasswordAuthentication yes" in /etc/ssh/sshd_config &
restart ssh.service
* Login using password, confirm success
* Copy public key over to system-under-test
* Enable "PubkeyAuthentication yes" in /etc/ssh/sshd_config & restart
* Login using private key, confirm success
[ Where problems could occur ]
* This SRU tweaks the authentication logic of OpenSSH, therefore it's
a high-impact change. If something goes wrong, it could lock people
out of their remote machines.
* The change has been deployed to Debian testing and Ubuntu Plucky
since October 2024, without major issues raised.
* I've added "[ Test Plan 2 ]" to confirm normal publickey & password
login is still working as expected
[ Other Info ]
* Fixed as of 1:9.9p1-2 (e.g. in Plucky)
* Rejected upstream, due to being a bug in the Debian delta:
https://bugzilla.mindrot.org/show_bug.cgi?id=3406
* Fixed in Debian by Colin Watson:
https://salsa.debian.org/ssh-team/openssh/-/commit/7d291bb
=== original bug report ===
Since the upgrade from Ubuntu 20.04 to 22.04 the SSH login via a SSH pubkey to our servers fails, while password and kerberos are still working.
$ssh user at server
sign_and_send_pubkey: internal error: initial hostkey not recorded
This seem related to the bugreport at openssh:
https://bugzilla.mindrot.org/show_bug.cgi?id=3406
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: openssh-server 1:8.9p1-3ubuntu0.1
ProcVersionSignature: Ubuntu 5.15.0-76.83-generic 5.15.99
Uname: Linux 5.15.0-76-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: pass
CloudArchitecture: x86_64
CloudID: none
CloudName: none
CloudPlatform: none
CloudSubPlatform: config
Date: Thu Jul 20 17:25:01 2023
InstallationDate: Installed on 2020-08-24 (1060 days ago)
InstallationMedia: Ubuntu-Server 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731)
SourcePackage: openssh
UpgradeStatus: Upgraded to jammy on 2023-07-20 (0 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028282/+subscriptions
More information about the foundations-bugs
mailing list