Package: openssh-server
Version: 1:8.4p1-5+deb11u3
Severity: important
X-Debbugs-Cc: vdanj...@debian.org
Hi,
In an kerberos environment, I'm gradually migrating machines from
bullseye to bookworm. Doing this, I observe a regression concerning
openssh-server.
Openssh is configurated to allow kerberos authentification.
sshd_config has the following lines:
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
and ssh_config has the following lines:
Host *
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDNS yes
When trying to log from a kerberos account into a remote local
(non kerberos) account with a public key, it works on bulleyes machines,
but on bookworm machines, I got the following error:
$ ssh -v -l remote-local-login bookworm-machine
[...]
OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/local.conf
debug1: /etc/ssh/ssh_config.d/local.conf line 6: Applying options for *
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to bookworm-machine.domain.fr [10.0.0.3] port 22.
debug1: Connection established.
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_rsa type -1
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_rsa-cert type -1
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ecdsa type -1
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ecdsa_sk-cert type
-1
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ed25519 type -1
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ed25519_sk type -1
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ed25519_sk-cert
type -1
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_xmss type -1
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_xmss-cert type -1
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_dsa type -1
debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1
Debian-2+deb12u2
debug1: compat_banner: match: OpenSSH_9.2p1 Debian-2+deb12u2 pat OpenSSH*
compat 0x04000000
debug1: Authenticating to bookworm-machine.domain.fr:22 as 'remote-local-login'
debug1: load_hostkeys: fopen /home/domain.fr/kerberos-user/.ssh/known_hosts2:
No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Offering GSSAPI proposal:
gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group16-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp256-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha256-eipGX3TCiQSrx573bT1o1Q==,gss-group16-sha512-eipGX3TCiQSrx573bT1o1Q==,gss-nistp256-sha256-eipGX3TCiQSrx573bT1o1Q==,gss-curve25519-sha256-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC:
<implicit> compression: none
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_COMPLETE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Rekey has happened - updating saved versions
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: kerberos-u...@domain.fr@di3937su RSA
SHA256:LVQ9Rw8lBcFd5DPN0NXfU8Heo2+7sBrEhzkTdNgcDVA agent
debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_rsa
debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_ecdsa
debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_ed25519
debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_xmss
debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_dsa
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,sk-ssh-ed25...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp...@openssh.com,webauthn-sk-ecdsa-sha2-nistp...@openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug1: kex_input_ext_info: publickey-hostbo...@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering public key: kerberos-u...@domain.fr@di3937su RSA
SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX agent
debug1: Server accepts key: kerberos-u...@domain.fr@di3937su RSA
SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX agent
sign_and_send_pubkey: internal error: initial hostkey not recorded
Reading https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028282
and https://bugzilla.mindrot.org/show_bug.cgi?id=3406
I workaround this bug by running my command prefixed by 'env KRB5CCNAME="" ssh
...'
The bugzilla bug report suggests a fix (I did not try it).
Regards,
Vincent
-- System Information:
Debian Release: 11.8
APT prefers oldstable-security
APT policy: (990, 'oldstable-security'), (990, 'oldstable'), (500,
'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500,
'oldoldstable-updates'), (500, 'oldoldstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-0.deb11.13-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.118+deb11u1
ii debconf [debconf-2.0] 1.5.77
ii dpkg 1.20.13
ii libaudit1 1:3.0-2
ii libc6 2.31-13+deb11u7
ii libcom-err2 1.46.2-2
ii libcrypt1 1:4.4.18-4
ii libgssapi-krb5-2 1.18.3-6+deb11u4
ii libkrb5-3 1.18.3-6+deb11u4
ii libpam-modules 1.4.0-9+deb11u1
ii libpam-runtime 1.4.0-9+deb11u1
ii libpam0g 1.4.0-9+deb11u1
ii libselinux1 3.1-3
ii libssl1.1 1.1.1w-0+deb11u1
ii libsystemd0 247.3-7+deb11u4
ii libwrap0 7.6.q-31
ii lsb-base 11.1.0
ii openssh-client 1:8.4p1-5+deb11u3
ii openssh-sftp-server 1:8.4p1-5+deb11u3
ii procps 2:3.3.17-5
ii runit-helper 2.10.3
ii ucf 3.0043
ii zlib1g 1:1.2.11.dfsg-2+deb11u2
Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 247.3-7+deb11u4
ii ncurses-term 6.2+20201114-2+deb11u2
ii xauth 1:1.1-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information excluded
