[Bug 2028282] Re: [SRU] SSH pubkey authetication fails when GSSAPI enabled
Timo Aaltonen
2028282 at bugs.launchpad.net
Fri Mar 7 10:54:48 UTC 2025
Hello Moritz, or anyone else affected,
Accepted openssh into noble-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.9 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
noble to verification-done-noble. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-noble. In either case, without details of your testing we will
not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Changed in: openssh (Ubuntu Noble)
Status: Triaged => Fix Committed
** Tags added: verification-needed-noble
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2028282
Title:
[SRU] SSH pubkey authetication fails when GSSAPI enabled
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Jammy:
Triaged
Status in openssh source package in Noble:
Fix Committed
Status in openssh source package in Oracular:
Fix Released
Status in openssh source package in Plucky:
Fix Released
Status in openssh package in Debian:
Fix Released
Bug description:
[ Impact ]
* Login with publickey fails when openssh server is configured to use
GSSAPI authentication, too. Error: "sign_and_send_pubkey: internal
error: initial hostkey not recorded"
* To trigger it, one needs to (a) perform a successful GSSAPI key
exchange, (b) attempt public key authentication.
* In addition, the client and the server must both have the hostbound
authentication protocol extension enabled for the problem to manifest
itself (On by default).
* This is not a very common combination, but it can happen if one has
Kerberos credentials for the correct realm but the wrong user, and a
private key for the right user.
* This SRU fixes this by adding an additional
"ssh->kex->initial_hostkey != NULL" check in
sshconnect2.c:sign_and_send_pubkey(), as suggested by upstream in
https://bugzilla.mindrot.org/show_bug.cgi?id=3406 (comment 2).
[ Test Plan ]
The reproducer was codified in autopkgtests, thanks to Colin Watson!
* Make sure to have the latest debian/tests/ssh-gssapi test case
(included as of 1:9.9p1-2, and shipped as part of this SRU),
especially the delta described in
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028282/+attachment/5845545/+files/dep8-verifier.diff
* Execute the "ssh-gssapi" dep8 test:
$ autopkgtest -U openssh --apt-pocket=proposed=src:openssh --test-name=ssh-gssapi -- lxd autopkgtest/ubuntu/oracular/amd64
* Confirm the log contains 3 login attempts, with the final one using the "publickey" authentication method ("Accepted publickey for testuser..."):
"""
## Checking ssh logs to confirm publickey auth was used
Dec 14 22:44:16 sshd-gssapi.example.fake sshd-session[2213]: Accepted publickey for testuser2020-2 from 127.0.0.1 port 43364 ssh2: ED25519 SHA256:7vF3468XCZOawompwDThLsGsnPoUaP5Ki/3KaQLq/2M
## PASS test_gssapi_keyex_pubkey_fallback
"""
[ Test Plan 2 ]
* In addition to the codified test for this specific issue, we want
to confirm normal password and publickey login are still working as
expected.
* Enable "PasswordAuthentication yes" in /etc/ssh/sshd_config &
restart ssh.service
* Login using password, confirm success
* Copy public key over to system-under-test
* Enable "PubkeyAuthentication yes" in /etc/ssh/sshd_config & restart
* Login using private key, confirm success
[ Where problems could occur ]
* This SRU tweaks the authentication logic of OpenSSH, therefore it's
a high-impact change. If something goes wrong, it could lock people
out of their remote machines.
* The change has been deployed to Debian testing and Ubuntu Plucky
since October 2024, without major issues raised.
* I've added "[ Test Plan 2 ]" to confirm normal publickey & password
login is still working as expected
[ Other Info ]
* Fixed as of 1:9.9p1-2 (e.g. in Plucky)
* Rejected upstream, due to being a bug in the Debian delta:
https://bugzilla.mindrot.org/show_bug.cgi?id=3406
* Fixed in Debian by Colin Watson:
https://salsa.debian.org/ssh-team/openssh/-/commit/7d291bb
=== original bug report ===
Since the upgrade from Ubuntu 20.04 to 22.04 the SSH login via a SSH pubkey to our servers fails, while password and kerberos are still working.
$ssh user at server
sign_and_send_pubkey: internal error: initial hostkey not recorded
This seem related to the bugreport at openssh:
https://bugzilla.mindrot.org/show_bug.cgi?id=3406
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: openssh-server 1:8.9p1-3ubuntu0.1
ProcVersionSignature: Ubuntu 5.15.0-76.83-generic 5.15.99
Uname: Linux 5.15.0-76-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: pass
CloudArchitecture: x86_64
CloudID: none
CloudName: none
CloudPlatform: none
CloudSubPlatform: config
Date: Thu Jul 20 17:25:01 2023
InstallationDate: Installed on 2020-08-24 (1060 days ago)
InstallationMedia: Ubuntu-Server 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731)
SourcePackage: openssh
UpgradeStatus: Upgraded to jammy on 2023-07-20 (0 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028282/+subscriptions
More information about the foundations-bugs
mailing list