[Bug 2028282] Re: [SRU] SSH pubkey authetication fails when GSSAPI enabled

Launchpad Bug Tracker 2028282 at bugs.launchpad.net
Thu Jan 9 12:48:05 UTC 2025 

This bug was fixed in the package openssh - 1:9.7p1-7ubuntu4.1

---------------
openssh (1:9.7p1-7ubuntu4.1) oracular; urgency=medium

  * d/p/gssapi.patch: Fix interaction between gssapi-keyex and pubkey auth
    (LP: #2028282)
    Don't prefer host-bound public key signatures if there was no initial
    host key, as is the case when using GSS-API key exchange.
    Thanks to Colin Watson for providing patches via Debian Salsa (7d291bb)
    + d/t/ssh-gssapi: Fix typo in autopkgtest
    + d/t/ssh-gssapi: Test interaction between gssapi-keyex and pubkey auth.

 -- Lukas Märdian <slyon at ubuntu.com>  Mon, 16 Dec 2024 12:49:45 +0100

** Changed in: openssh (Ubuntu Oracular)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2028282

Title:
  [SRU] SSH pubkey authetication fails when GSSAPI enabled

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Jammy:
  Triaged
Status in openssh source package in Noble:
  Triaged
Status in openssh source package in Oracular:
  Fix Released
Status in openssh source package in Plucky:
  Fix Released
Status in openssh package in Debian:
  Fix Released

Bug description:
  [ Impact ]

   * Login with publickey fails when openssh server is configured to use
  GSSAPI authentication, too. Error: "sign_and_send_pubkey: internal
  error: initial hostkey not recorded"

   * To trigger it, one needs to (a) perform a successful GSSAPI key
  exchange, (b) attempt public key authentication.

   * In addition, the client and the server must both have the hostbound
  authentication protocol extension enabled for the problem to manifest
  itself (On by default).

   * This is not a very common combination, but it can happen if one has
  Kerberos credentials for the correct realm but the wrong user, and a
  private key for the right user.

   * This SRU fixes this by adding an additional
  "ssh->kex->initial_hostkey != NULL" check in
  sshconnect2.c:sign_and_send_pubkey(), as suggested by upstream in
  https://bugzilla.mindrot.org/show_bug.cgi?id=3406 (comment 2).

  [ Test Plan ]

   The reproducer was codified in autopkgtests, thanks to Colin Watson!

   * Make sure to have the latest debian/tests/ssh-gssapi test case
  (included as of 1:9.9p1-2, and shipped as part of this SRU),
  especially the delta described in
  https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028282/+attachment/5845545/+files/dep8-verifier.diff

   * Execute the "ssh-gssapi" dep8 test:
  $ autopkgtest -U openssh --apt-pocket=proposed=src:openssh --test-name=ssh-gssapi -- lxd autopkgtest/ubuntu/oracular/amd64

   * Confirm the log contains 3 login attempts, with the final one using the "publickey" authentication method ("Accepted publickey for testuser..."):
  """
  ## Checking ssh logs to confirm publickey auth was used
  Dec 14 22:44:16 sshd-gssapi.example.fake sshd-session[2213]: Accepted publickey for testuser2020-2 from 127.0.0.1 port 43364 ssh2: ED25519 SHA256:7vF3468XCZOawompwDThLsGsnPoUaP5Ki/3KaQLq/2M
  ## PASS test_gssapi_keyex_pubkey_fallback
  """

  [ Test Plan 2 ]

   * In addition to the codified test for this specific issue, we want
  to confirm normal password and publickey login are still working as
  expected.

   * Enable "PasswordAuthentication yes" in /etc/ssh/sshd_config &
  restart ssh.service

   * Login using password, confirm success

   * Copy public key over to system-under-test

   * Enable "PubkeyAuthentication yes" in /etc/ssh/sshd_config & restart

   * Login using private key, confirm success

  [ Where problems could occur ]

   * This SRU tweaks the authentication logic of OpenSSH, therefore it's
  a high-impact change. If something goes wrong, it could lock people
  out of their remote machines.

   * The change has been deployed to Debian testing and Ubuntu Plucky
  since October 2024, without major issues raised.

   * I've added "[ Test Plan 2 ]" to confirm normal publickey & password
  login is still working as expected

  [ Other Info ]

   * Fixed as of 1:9.9p1-2 (e.g. in Plucky)

   * Rejected upstream, due to being a bug in the Debian delta:
     https://bugzilla.mindrot.org/show_bug.cgi?id=3406

   * Fixed in Debian by Colin Watson:
     https://salsa.debian.org/ssh-team/openssh/-/commit/7d291bb

  === original bug report ===
  Since the upgrade from Ubuntu 20.04 to 22.04 the SSH login via a SSH pubkey to our servers fails, while password and kerberos are still working.

  $ssh user at server
  sign_and_send_pubkey: internal error: initial hostkey not recorded

  This seem related to the bugreport at openssh:
  https://bugzilla.mindrot.org/show_bug.cgi?id=3406

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: openssh-server 1:8.9p1-3ubuntu0.1
  ProcVersionSignature: Ubuntu 5.15.0-76.83-generic 5.15.99
  Uname: Linux 5.15.0-76-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82.5
  Architecture: amd64
  CasperMD5CheckResult: pass
  CloudArchitecture: x86_64
  CloudID: none
  CloudName: none
  CloudPlatform: none
  CloudSubPlatform: config
  Date: Thu Jul 20 17:25:01 2023
  InstallationDate: Installed on 2020-08-24 (1060 days ago)
  InstallationMedia: Ubuntu-Server 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731)
  SourcePackage: openssh
  UpgradeStatus: Upgraded to jammy on 2023-07-20 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028282/+subscriptions

More information about the foundations-bugs mailing list