Mailinglist Archive: opensuse-bugs (5916 mails)

[bugzilla_noreply@xxxxxxxxxx]

https://bugzilla.novell.com/show_bug.cgi?id=671820

https://bugzilla.novell.com/show_bug.cgi?id=671820#c0


           Summary: ssh host-based authentication does not work for non
                    root users
    Classification: openSUSE
           Product: openSUSE 11.4
           Version: RC 1
          Platform: x86
        OS/Version: Other
            Status: NEW
          Severity: Major
          Priority: P5 - None
         Component: Basesystem
        AssignedTo: bnc-team-screening@xxxxxxxxxxxxxxxxxxxxxx
        ReportedBy: gilles.sabourin@xxxxxxx
         QAContact: qa@xxxxxxx
          Found By: ---
           Blocker: ---


Created an attachment (id=413917)
 --> (http://bugzilla.novell.com/attachment.cgi?id=413917)
ssh client traces

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.13)
Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729)

I have configured an openssh server and client to perform host-based
authentication between one openSUSE 11.4 (milestone 5) installed in virtualbox
4.0.2 and openSUSE 11.3 on a laptop.

This kind of authentication ceased to work since milestone 6, and does not work
for RC1 (openssh-5.8p1-3.1) for non root user. This always works for root user
since ssh client has enough access permissions to directly get machine's
private key. For a non root user, ssh client has no permission access to read
directly machine's private key. In this case, this task is devoted to keysign
helper. 

I'm trying to connect to an openssh 5.4 server. Here's a short exchange from
openssh 5.8 client : 

gilles@gilles-vbureau:~> ssh gilles-portable
no matching hostkey found
ssh_keysign: no reply
key_sign failed
gilles@gilles-portable's password: 

in attachments, you'll find a complete debugged traces from client and ssh
client and server configurations. Let me know if you want more informations.

I can see many "debug1: permanently_drop_suid: 1000" from ssh client's traces.
I thought this was a security hardening, but I have not seen anything related
to that in 5.5 to 5.8 release notes. From a strict security point of view, that
is OK since access is restricted to system access or administrator user.

As a workaround, one can simply use user-based authentication for a few users,
which does not require client or server configuration, and is simpler to set up
: user public key content has simply to be added to server
/etc/ssh/ssh_known_hosts file.


Reproducible: Always

Steps to Reproduce:
1. Configure ssh host-based authentication on 2 hosts :
* set /etc/hosts with ip addresses of the 2 machines, simple host names and
FQDN names (or configure a dns server).
* set /etc/hosts.equiv + .shosts (into root account) with simple host names and
FQDN names
* set ssh_config and sshd_config (see attachments)
* set suid bit of ssh-keysign on client host, with command :
chmod u+s /usr/lib/ssh/ssh-keysign
* on the server, get the public key of the client :
ssh-keyscan -t rsa <server FQDN> <server name> >> \
/etc/ssh/ssh_known_hosts
2. try to connect from 11.4 ssh client with command : "ssh <server>"
3. host-based authentication filed and server password is 
Actual Results:  
The ssh client asks the user for the ssh server password since no component can
provide the host private key.


Expected Results:  
The user should have his ssh session directly, without providing any password.

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.