[Bug 671820] New: ssh host-based authentication does not work for non root users
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c0 Summary: ssh host-based authentication does not work for non root users Classification: openSUSE Product: openSUSE 11.4 Version: RC 1 Platform: x86 OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: gilles.sabourin@free.fr QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=413917) --> (http://bugzilla.novell.com/attachment.cgi?id=413917) ssh client traces User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729) I have configured an openssh server and client to perform host-based authentication between one openSUSE 11.4 (milestone 5) installed in virtualbox 4.0.2 and openSUSE 11.3 on a laptop. This kind of authentication ceased to work since milestone 6, and does not work for RC1 (openssh-5.8p1-3.1) for non root user. This always works for root user since ssh client has enough access permissions to directly get machine's private key. For a non root user, ssh client has no permission access to read directly machine's private key. In this case, this task is devoted to keysign helper. I'm trying to connect to an openssh 5.4 server. Here's a short exchange from openssh 5.8 client : gilles@gilles-vbureau:~> ssh gilles-portable no matching hostkey found ssh_keysign: no reply key_sign failed gilles@gilles-portable's password: in attachments, you'll find a complete debugged traces from client and ssh client and server configurations. Let me know if you want more informations. I can see many "debug1: permanently_drop_suid: 1000" from ssh client's traces. I thought this was a security hardening, but I have not seen anything related to that in 5.5 to 5.8 release notes. From a strict security point of view, that is OK since access is restricted to system access or administrator user. As a workaround, one can simply use user-based authentication for a few users, which does not require client or server configuration, and is simpler to set up : user public key content has simply to be added to server /etc/ssh/ssh_known_hosts file. Reproducible: Always Steps to Reproduce: 1. Configure ssh host-based authentication on 2 hosts : * set /etc/hosts with ip addresses of the 2 machines, simple host names and FQDN names (or configure a dns server). * set /etc/hosts.equiv + .shosts (into root account) with simple host names and FQDN names * set ssh_config and sshd_config (see attachments) * set suid bit of ssh-keysign on client host, with command : chmod u+s /usr/lib/ssh/ssh-keysign * on the server, get the public key of the client : ssh-keyscan -t rsa <server FQDN> <server name> >> \ /etc/ssh/ssh_known_hosts 2. try to connect from 11.4 ssh client with command : "ssh <server>" 3. host-based authentication filed and server password is Actual Results: The ssh client asks the user for the ssh server password since no component can provide the host private key. Expected Results: The user should have his ssh session directly, without providing any password. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c1
--- Comment #1 from Gilles Sabourin
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c2
--- Comment #2 from Gilles Sabourin
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c
Gilles Sabourin
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c
Gilles Sabourin
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c
Gilles Sabourin
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c
wei wang
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c
Gilles Sabourin
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c3
Petr Cerny
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c4
Gilles Sabourin
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c
Petr Cerny
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c5
Michael Rutter
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c6
--- Comment #6 from Gilles Sabourin
From a security point of view, this new behavior is much more secured because it does not allow abuse of HostbasedAuthentication, which should be reserved only to system accounts. The former operation allowed unlimited access between 2 trusted hosts to ANY user account. But computer security has 2 components (human and machine) and can't rely solely on machine : there is no security (no access control) where you're allow everyone to go.
But, this substantial semantic change should have been at least : - documented in openssh changelog or in openssh web site and, - well tested so that this kind of "workaround" should have simply not been possible. Now you should contact an openssh developer to confirm that this is the intended operation for openssh > 5.6 If this is the case, then this bug report can be turned against openssh documentation and you can open a new bug report for the security leak. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c7
--- Comment #7 from Michael Rutter
https://bugzilla.novell.com/show_bug.cgi?id=671820
https://bugzilla.novell.com/show_bug.cgi?id=671820#c8
Rolf Krahl
participants (1)
-
bugzilla_noreply@novell.com