[Bug 559198] New: Previously working SSH passwordless public key login into 10.2 system fails.
http://bugzilla.novell.com/show_bug.cgi?id=559198 http://bugzilla.novell.com/show_bug.cgi?id=559198#c0 Summary: Previously working SSH passwordless public key login into 10.2 system fails. Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: Other OS/Version: openSUSE 11.2 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: raffo@cdi.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.4) Gecko/20091016 SUSE/3.5.4-1.1.2 Firefox/3.5.4 I just updated my desktop to from 11.1 to 11.2. I have a remote system that ssh's into my desktop using a passwordless dsa key. This setup has always worked for me. After the upgrade, the connection fails every time the remote computer attempts to connect. The connection succeeds from this remote computer to other computers running other versions of openSUSE. The following is the daemon log on my desktop: Nov 30 11:11:48 mydesktop SuSEfirewall2: batch committing... Nov 30 11:11:48 mydesktop SuSEfirewall2: Firewall rules unloaded. Nov 30 11:13:15 mydesktop sshd[30402]: Received signal 15; terminating. Nov 30 11:13:15 mydesktop sshd[28316]: Server listening on 0.0.0.0 port 22. Nov 30 11:13:15 mydesktop sshd[28316]: Server listening on :: port 22. Nov 30 11:13:39 mydesktop sshd[28316]: Received signal 15; terminating. Nov 30 11:13:39 mydesktop sshd[28360]: debug1: Bind to port 22 on 0.0.0.0. Nov 30 11:13:39 mydesktop sshd[28360]: Server listening on 0.0.0.0 port 22. Nov 30 11:13:39 mydesktop sshd[28360]: debug1: Bind to port 22 on ::. Nov 30 11:13:39 mydesktop sshd[28360]: Server listening on :: port 22. Nov 30 11:13:44 mydesktop sshd[28364]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 Nov 30 11:13:44 mydesktop sshd[28360]: debug1: Forked child 28364. Nov 30 11:13:44 mydesktop sshd[28364]: debug1: inetd sockets after dupping: 3, 3 Nov 30 11:13:44 mydesktop sshd[28364]: Connection from 150.232.137.238 port 27382 Nov 30 11:13:44 mydesktop sshd[28364]: debug1: Client protocol version 2.0; client software version OpenSSH_4.2 Nov 30 11:13:44 mydesktop sshd[28364]: debug1: match: OpenSSH_4.2 pat OpenSSH_4* Nov 30 11:13:44 mydesktop sshd[28364]: debug1: Enabling compatibility mode for protocol 2.0 Nov 30 11:13:44 mydesktop sshd[28364]: debug1: Local version string SSH-2.0-OpenSSH_5.2 Nov 30 11:13:44 mydesktop sshd[28364]: debug1: PAM: initializing for "remusr" Nov 30 11:13:44 mydesktop sshd[28364]: debug1: PAM: setting PAM_RHOST to "nntau" Nov 30 11:13:44 mydesktop sshd[28364]: debug1: PAM: setting PAM_TTY to "ssh" Nov 30 11:13:44 mydesktop sshd[28364]: debug1: temporarily_use_uid: 3008/3001 (e=0/0) Nov 30 11:13:44 mydesktop sshd[28364]: debug1: trying public key file /usr2/users/remusr/.ssh/authorized_keys Nov 30 11:13:44 mydesktop sshd[28364]: debug1: fd 4 clearing O_NONBLOCK Nov 30 11:13:44 mydesktop sshd[28364]: debug1: restore_uid: 0/0 Nov 30 11:13:44 mydesktop sshd[28364]: debug1: temporarily_use_uid: 3008/3001 (e=0/0) Nov 30 11:13:44 mydesktop sshd[28364]: debug1: trying public key file /usr2/users/remusr/.ssh/authorized_keys2 Nov 30 11:13:44 mydesktop sshd[28364]: debug1: restore_uid: 0/0 Nov 30 11:13:44 mydesktop sshd[28364]: Failed publickey for remusr from 150.232.137.238 port 27382 ssh2 Nov 30 11:13:44 mydesktop sshd[28364]: debug1: temporarily_use_uid: 3008/3001 (e=0/0) Nov 30 11:13:44 mydesktop sshd[28364]: debug1: trying public key file /usr2/users/remusr/.ssh/authorized_keys Nov 30 11:13:44 mydesktop sshd[28364]: debug1: fd 4 clearing O_NONBLOCK Nov 30 11:13:44 mydesktop sshd[28364]: debug1: matching key found: file /usr2/users/remusr/.ssh/authorized_keys, line 3 Nov 30 11:13:44 mydesktop sshd[28364]: Found matching DSA key: a3:ad:6d:b7:5e:12:73:2a:bd:40:1f:16:7c:26:6e:8f Nov 30 11:13:44 mydesktop sshd[28364]: debug1: restore_uid: 0/0 Nov 30 11:13:44 mydesktop sshd[28364]: debug1: ssh_dss_verify: signature correct Nov 30 11:13:44 mydesktop sshd[28364]: debug1: do_pam_account: called Nov 30 11:13:44 mydesktop sshd[28364]: Failed publickey for remusr from 150.232.137.238 port 27382 ssh2 Nov 30 11:13:44 mydesktop sshd[28364]: debug1: do_cleanup Nov 30 11:13:44 mydesktop sshd[28364]: debug1: PAM: cleanup At the end of the log it indicates a failure with the publick key. However, I'm using the same keys to ssh into other systems and the connection does not fail. Reproducible: Always -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=559198 http://bugzilla.novell.com/show_bug.cgi?id=559198#c Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|security-team@suse.de |anicka@novell.com -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=559198 http://bugzilla.novell.com/show_bug.cgi?id=559198#c1 --- Comment #1 from Rafael Herrera <raffo@cdi.com> 2009-12-01 19:34:41 UTC --- The problem seem to be in the /etc/shadow file in my desktop computer. The user entry is: rmon2:!:14571:0:99999:7::: Apparently, my desktop's sshd daemon interprets this as the account being disabled. However, the logs above do not report that. After replacing the entry with: rmon2:*:14571:0:99999:7::: The remote system can login as usual. This is new behavior for SSHD and will break setups that had previously worked. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=559198 http://bugzilla.novell.com/show_bug.cgi?id=559198#c Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=559198 http://bugzilla.novell.com/show_bug.cgi?id=559198#c2 Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mc@novell.com --- Comment #2 from Michael Calmer <mc@novell.com> 2009-12-04 10:57:38 UTC --- This is a change in pam_unix2. There was a request (from the ssh people) that locked accounts (The one with ! in password) should be rejected. But there are other problems with this change, so we decided to release a maintenance update which revert this change. I hope this update will be available soon. See also Bug #556077 . -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=559198 http://bugzilla.novell.com/show_bug.cgi?id=559198#c3 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |DUPLICATE --- Comment #3 from Anna Bernathova <anicka@novell.com> 2009-12-04 11:56:19 UTC --- Closing as a duplicate of #556077. *** This bug has been marked as a duplicate of bug 556077 *** http://bugzilla.novell.com/show_bug.cgi?id=556077 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com