https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c0 Summary: ssh host-based authentication does not work for non root users Classification: openSUSE Product: openSUSE 11.4 Version: RC 1 Platform: x86 OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: gilles.sabourin@free.fr QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=413917) --> (http://bugzilla.novell.com/attachment.cgi?id=413917) ssh client traces User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729) I have configured an openssh server and client to perform host-based authentication between one openSUSE 11.4 (milestone 5) installed in virtualbox 4.0.2 and openSUSE 11.3 on a laptop. This kind of authentication ceased to work since milestone 6, and does not work for RC1 (openssh-5.8p1-3.1) for non root user. This always works for root user since ssh client has enough access permissions to directly get machine's private key. For a non root user, ssh client has no permission access to read directly machine's private key. In this case, this task is devoted to keysign helper. I'm trying to connect to an openssh 5.4 server. Here's a short exchange from openssh 5.8 client : gilles@gilles-vbureau:~> ssh gilles-portable no matching hostkey found ssh_keysign: no reply key_sign failed gilles@gilles-portable's password: in attachments, you'll find a complete debugged traces from client and ssh client and server configurations. Let me know if you want more informations. I can see many "debug1: permanently_drop_suid: 1000" from ssh client's traces. I thought this was a security hardening, but I have not seen anything related to that in 5.5 to 5.8 release notes. From a strict security point of view, that is OK since access is restricted to system access or administrator user. As a workaround, one can simply use user-based authentication for a few users, which does not require client or server configuration, and is simpler to set up : user public key content has simply to be added to server /etc/ssh/ssh_known_hosts file. Reproducible: Always Steps to Reproduce: 1. Configure ssh host-based authentication on 2 hosts : * set /etc/hosts with ip addresses of the 2 machines, simple host names and FQDN names (or configure a dns server). * set /etc/hosts.equiv + .shosts (into root account) with simple host names and FQDN names * set ssh_config and sshd_config (see attachments) * set suid bit of ssh-keysign on client host, with command : chmod u+s /usr/lib/ssh/ssh-keysign * on the server, get the public key of the client : ssh-keyscan -t rsa <server FQDN> <server name> >> \ /etc/ssh/ssh_known_hosts 2. try to connect from 11.4 ssh client with command : "ssh <server>" 3. host-based authentication filed and server password is Actual Results: The ssh client asks the user for the ssh server password since no component can provide the host private key. Expected Results: The user should have his ssh session directly, without providing any password. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.