** Description changed:
- Since the upgrade from Ubuntu 20.04 to 22.04 the SSH login via a SSH
- pubkey to our servers fails, while password and kerberos are still
- working.
+ [ Impact ]
+
+ * Login with publickey fails when openssh server is configured to use
+ GSSAPI authentication, too. Error: "sign_and_send_pubkey: internal
+ error: initial hostkey not recorded"
+
+ * To trigger it, one needs to (a) perform a successful GSSAPI key
+ exchange, (b) attempt public key authentication.
+
+ * In addition, the client and the server must both have the hostbound
+ authentication protocol extension enabled for the problem to manifest
+ itself (On by default).
+
+ * This is not a very common combination, but it can happen if one has
+ Kerberos credentials for the correct realm but the wrong user, and a
+ private key for the right user.
+
+ * This SRU fixes this by adding an additional
+ "ssh->kex->initial_hostkey != NULL" check in
+ sshconnect2.c:sign_and_send_pubkey(), as suggested by upstream in
+ https://bugzilla.mindrot.org/show_bug.cgi?id=3406 (comment 2).
+
+ [ Test Plan ]
+
+ The reproducer was codified in autopkgtests, thanks to Colin Watson!
+
+ * Make sure to have the latest debian/tests/ssh-gssapi test case
+ (included as of 1:9.9p1-2, and shipped as part of this SRU), especially
+ the delta described in
+
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028282/+attachment/5845545/+files/dep8-verifier.diff
+
+ * Execute the "ssh-gssapi" dep8 test:
+ $ autopkgtest -U openssh --apt-pocket=proposed=src:openssh
--test-name=ssh-gssapi -- lxd autopkgtest/ubuntu/oracular/amd64
+
+ * Confirm the log contains 3 login attempts, with the final one using the
"publickey" authentication method ("Accepted publickey for testuser..."):
+ """
+ ## Checking ssh logs to confirm publickey auth was used
+ Dec 14 22:44:16 sshd-gssapi.example.fake sshd-session[2213]: Accepted
publickey for testuser2020-2 from 127.0.0.1 port 43364 ssh2: ED25519
SHA256:7vF3468XCZOawompwDThLsGsnPoUaP5Ki/3KaQLq/2M
+ ## PASS test_gssapi_keyex_pubkey_fallback
+ """
+
+ [ Test Plan 2 ]
+
+ * In addition to the codified test for this specific issue, we want to
+ confirm normal password and publickey login are still working as
+ expected.
+
+ * Enable "PasswordAuthentication yes" in /etc/ssh/sshd_config & restart
+ ssh.service
+
+ * Login using password, confirm success
+
+ * Copy public key over to system-under-test
+
+ * Enable "PubkeyAuthentication yes" in /etc/ssh/sshd_config & restart
+
+ * Login using private key, confirm success
+
+ [ Where problems could occur ]
+
+ * This SRU tweaks the authentication logic of OpenSSH, therefore it's a
+ high-impact change. If something goes wrong, it could lock people out of
+ their remote machines.
+
+ * The change has been deployed to Debian testing and Ubuntu Plucky
+ since October 2024, without major issues raised.
+
+ * I've added "[ Test Plan 2 ]" to confirm normal publickey & password
+ login is still working as expected
+
+ [ Other Info ]
+
+ * Fixed as of 1:9.9p1-2 (e.g. in Plucky)
+
+ * Rejected upstream, due to being a bug in the Debian delta:
+ https://bugzilla.mindrot.org/show_bug.cgi?id=3406
+
+ * Fixed in Debian by Colin Watson:
+ https://salsa.debian.org/ssh-team/openssh/-/commit/7d291bb
+
+ === original bug report ===
+ Since the upgrade from Ubuntu 20.04 to 22.04 the SSH login via a SSH pubkey
to our servers fails, while password and kerberos are still working.
$ssh user@server
- sign_and_send_pubkey: internal error: initial hostkey not recorded
+ sign_and_send_pubkey: internal error: initial hostkey not recorded
This seem related to the bugreport at openssh:
https://bugzilla.mindrot.org/show_bug.cgi?id=3406
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: openssh-server 1:8.9p1-3ubuntu0.1
ProcVersionSignature: Ubuntu 5.15.0-76.83-generic 5.15.99
Uname: Linux 5.15.0-76-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: pass
CloudArchitecture: x86_64
CloudID: none
CloudName: none
CloudPlatform: none
CloudSubPlatform: config
Date: Thu Jul 20 17:25:01 2023
InstallationDate: Installed on 2020-08-24 (1060 days ago)
InstallationMedia: Ubuntu-Server 20.04.1 LTS "Focal Fossa" - Release amd64
(20200731)
SourcePackage: openssh
UpgradeStatus: Upgraded to jammy on 2023-07-20 (0 days ago)
** Changed in: openssh (Ubuntu Oracular)
Assignee: (unassigned) => Lukas Märdian (slyon)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2028282
Title:
[SRU] SSH pubkey authetication fails when GSSAPI enabled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028282/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
