Package: libpam-ssh-agent-auth Version: 0.10.3-3+b1 Severity: important Tags: upstream
Dear Maintainer, Please help me confirm the following to be a bug in libpam-ssh-agent-auth. I am not 100% sure if it is. It may as well be a fault in openssh-client as that runs the SSH-agent. But I can't prove. * What led up to the situation? - Bought a new Yubikey 5 (F/W 5.2.3) that supports Eliptic Curve keys. * What exactly did you do (or not do) that was effective (or ineffective)? - On the client machine I created a new GPG key of the EC type, Curve 25519 and put that on a Yubikey. - Exported the SSH public key from the GPG key and added that to the `~/.ssh/authorized_keys` file on the target machine. - On the target machine I inserted the following in `/etc/pam.d/sudo`: auth sufficient pam_ssh_agent_auth.so debug file=~/.ssh/authorized_keys - And created a file `/etc/sudoers.d/00_SSH_AUTH_OK` with these contents: Defaults env_keep += SSH_AUTH_SOCK - I logged in using SSH from the source machine. After I verified that the ssh-agent was forwarded properly (using `ssh-add -l`) I tried to `sudo ls`. - After `<CTRL>-<C>` the password prompt of `sudo` and repeating the `sudo ls` command multiple times it succeeds. - When using another Yubikey with a RSA key on it, the exact same configuration works without any failure. * What was the outcome of this action? - sudo asked for my password. - `/var/log/auth.log` contains: Aug 31 16:29:05 buster sshd[1093]: rexec line 26: Deprecated option UsePrivilegeSeparation Aug 31 16:29:05 buster sshd[1093]: Accepted publickey for alex from 172.17.2.83 port 54290 ssh2: ED25519 SHA256:2jvA... Aug 31 16:29:05 buster sshd[1093]: pam_unix(sshd:session): session opened for user alex by (uid=0) Aug 31 16:29:05 buster systemd-logind[419]: New session 9 of user alex. Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: Beginning pam_ssh_agent_auth for user alex Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: Attempting authentication: `alex' as `alex' using /home/alex/.ssh/authorized_keys Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: Contacted ssh-agent of user alex (1000) Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: trying public key file /home/alex/.ssh/authorized_keys Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: auth_secure_filename: checking for uid: 1000 Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: secure_filename: checking '/home/alex/.ssh' Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: secure_filename: checking '/home/alex' Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: secure_filename: terminating check at '/home/alex' Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: key_read: type mismatch expected 4 found 1 Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: user_key_allowed: check options: 'ssh-rsa AAAAB3Nza...Some RSA key Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: key_type_from_name: unknown key type 'AAAAB3Nza...Some RSA key Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: key_read: missing keytype Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: user_key_allowed: advance: 'AAAAB3Nza...Some RSA key Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: matching key found: file/command /home/alex/.ssh/authorized_keys, line 2 Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: Found matching ED25519 key: 45:3f:...More fingerprint Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: Agent admitted failure to sign using the key. Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: Failed Authentication: `alex' as `alex' using /home/alex/.ssh/authorized_keys - The log looks the same when sudo succeeds (after trying several times), excpept for the last part: Aug 31 16:35:27 buster sudo[1136]: pam_ssh_agent_auth: matching key found: file/command /home/alex/.ssh/authorized_keys, line 2 Aug 31 16:35:27 buster sudo[1136]: pam_ssh_agent_auth: Found matching ED25519 key: 45:3f:...More fingerprint Aug 31 16:35:27 buster sudo[1136]: pam_ssh_agent_auth: ssh_ed25519_verify: signature correct Aug 31 16:35:27 buster sudo[1136]: pam_ssh_agent_auth: Authenticated: `alex' as `alex' using /home/alex/.ssh/authorized_keys * What outcome did you expect instead? - I expected to have my Yubikey flashing and after I touched it get `ls` executed as `root` without being asked for a password, after the first time I tried. - I expected that authentication would work the exact same way as with RSA keys. -- System Information: (The versions are exactly the same on both client and server) Debian Release: 10.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.7.0-0.bpo.2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libpam-ssh-agent-auth depends on: ii libc6 2.28-10 ii libpam0g 1.3.1-5 ii libssl1.1 1.1.1d-0+deb10u3 libpam-ssh-agent-auth recommends no packages. libpam-ssh-agent-auth suggests no packages. These are the versions of the ssh packages. I can imagine that the bug is from openssh-client rather than libpam-ssh-agent-auth since it's the agent that fails to sign. I honestly don't know how to prove that. ii openssh-client 1:7.9p1-10+deb10u2 amd64 secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:7.9p1-10+deb10u2 amd64 secure shell (SSH) server, for secure access from remote machines -- no debconf information