[Bug 671820] New: ssh host-based authentication does not work for non root users
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c0 Summary: ssh host-based authentication does not work for non root users Classification: openSUSE Product: openSUSE 11.4 Version: RC 1 Platform: x86 OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: gilles.sabourin@free.fr QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=413917) --> (http://bugzilla.novell.com/attachment.cgi?id=413917) ssh client traces User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729) I have configured an openssh server and client to perform host-based authentication between one openSUSE 11.4 (milestone 5) installed in virtualbox 4.0.2 and openSUSE 11.3 on a laptop. This kind of authentication ceased to work since milestone 6, and does not work for RC1 (openssh-5.8p1-3.1) for non root user. This always works for root user since ssh client has enough access permissions to directly get machine's private key. For a non root user, ssh client has no permission access to read directly machine's private key. In this case, this task is devoted to keysign helper. I'm trying to connect to an openssh 5.4 server. Here's a short exchange from openssh 5.8 client : gilles@gilles-vbureau:~> ssh gilles-portable no matching hostkey found ssh_keysign: no reply key_sign failed gilles@gilles-portable's password: in attachments, you'll find a complete debugged traces from client and ssh client and server configurations. Let me know if you want more informations. I can see many "debug1: permanently_drop_suid: 1000" from ssh client's traces. I thought this was a security hardening, but I have not seen anything related to that in 5.5 to 5.8 release notes. From a strict security point of view, that is OK since access is restricted to system access or administrator user. As a workaround, one can simply use user-based authentication for a few users, which does not require client or server configuration, and is simpler to set up : user public key content has simply to be added to server /etc/ssh/ssh_known_hosts file. Reproducible: Always Steps to Reproduce: 1. Configure ssh host-based authentication on 2 hosts : * set /etc/hosts with ip addresses of the 2 machines, simple host names and FQDN names (or configure a dns server). * set /etc/hosts.equiv + .shosts (into root account) with simple host names and FQDN names * set ssh_config and sshd_config (see attachments) * set suid bit of ssh-keysign on client host, with command : chmod u+s /usr/lib/ssh/ssh-keysign * on the server, get the public key of the client : ssh-keyscan -t rsa <server FQDN> <server name> >> \ /etc/ssh/ssh_known_hosts 2. try to connect from 11.4 ssh client with command : "ssh <server>" 3. host-based authentication filed and server password is Actual Results: The ssh client asks the user for the ssh server password since no component can provide the host private key. Expected Results: The user should have his ssh session directly, without providing any password. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c1 --- Comment #1 from Gilles Sabourin <gilles.sabourin@free.fr> 2011-02-14 18:34:54 UTC --- Created an attachment (id=413918) --> (http://bugzilla.novell.com/attachment.cgi?id=413918) ssh client configuration (openSUSE 11.4, openssh 5.8p1) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c2 --- Comment #2 from Gilles Sabourin <gilles.sabourin@free.fr> 2011-02-14 18:36:18 UTC --- Created an attachment (id=413919) --> (http://bugzilla.novell.com/attachment.cgi?id=413919) ssh server configuration (openSUSE 11.3, openssh 5.4p1) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c Gilles Sabourin <gilles.sabourin@free.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|ssh host-based |ssh host-based |authentication does not |authentication does not |work for non root users |work for non-root users -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c Gilles Sabourin <gilles.sabourin@free.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #413918|application/octet-stream |text/plain mime type| | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c Gilles Sabourin <gilles.sabourin@free.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #413919|application/octet-stream |text/plain mime type| | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c wei wang <wewang@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wewang@novell.com AssignedTo|bnc-team-screening@forge.pr |pcerny@novell.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c Gilles Sabourin <gilles.sabourin@free.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c3 Petr Cerny <pcerny@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Platform|x86 |All InfoProvider| |gilles.sabourin@free.fr OS/Version|Other |openSUSE 11.4 --- Comment #3 from Petr Cerny <pcerny@novell.com> 2011-05-12 21:15:32 UTC --- Hello Giles, I'm sorry it took me so long - this bug just disappeared from my radar. For some reason, the helper application ssh-keysign, which regular users need to access the client machine private keys is not setuid anymore. Please try $ chmod 4711 /usr/lib64/ssh/ssh-keysign and let me know, whether this fixes the problem for you. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c4 Gilles Sabourin <gilles.sabourin@free.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|gilles.sabourin@free.fr | --- Comment #4 from Gilles Sabourin <gilles.sabourin@free.fr> 2011-05-13 06:04:46 UTC --- Hello Petr, I was already aware of the suid settings of ssh-keysign helper, since I mentioned it in "Steps to reproduce" part. However, I have tested again with "chmod 4711" instead of "chmod u+s", and this still does not work. I guess openssh developers have enhanced their security mechanisms since I have noticed many "debug1: permanently_drop_suid: 1000" from ssh client's traces : maybe the suid setting is not enough anymore. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c Petr Cerny <pcerny@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c5 Michael Rutter <mjr19@cam.ac.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mjr19@cam.ac.uk --- Comment #5 from Michael Rutter <mjr19@cam.ac.uk> 2011-05-23 16:36:07 UTC --- I seemed to have suffered something similar moving from OpenSuSE 11.3 to 11.4. Working through various openssh versions, the change occurs between 5.6 and 5.7, and, for me at least, a quick and dirty fix is to move / remove / hide the /etc/ssh/*ecdsa* files on the client. Then HostbasedAuthentication from 11.4 to 11.3 starts working again. Does this solution work for you? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c6 --- Comment #6 from Gilles Sabourin <gilles.sabourin@free.fr> 2011-05-24 06:47:27 UTC --- This solution works ... until ssh server is restarted : new ecdsa keys are then generated where ecdsa public key is unknown from the peers, and this leads to a worsen situation (offending key ...). So, this is NOT a fix for me : this is unacceptable. Moreover this behavior is inconsistent : your solution is more or less a test that exhibits a security leak for openssh.
From a security point of view, this new behavior is much more secured because it does not allow abuse of HostbasedAuthentication, which should be reserved only to system accounts. The former operation allowed unlimited access between 2 trusted hosts to ANY user account. But computer security has 2 components (human and machine) and can't rely solely on machine : there is no security (no access control) where you're allow everyone to go.
But, this substantial semantic change should have been at least : - documented in openssh changelog or in openssh web site and, - well tested so that this kind of "workaround" should have simply not been possible. Now you should contact an openssh developer to confirm that this is the intended operation for openssh > 5.6 If this is the case, then this bug report can be turned against openssh documentation and you can open a new bug report for the security leak. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c7 --- Comment #7 from Michael Rutter <mjr19@cam.ac.uk> 2011-05-25 12:31:06 UTC --- Thanks for pointing out the ecdsa key regeneration problem. It seems that this issue has been fixed by the openssh people already, see https://bugzilla.mindrot.org/show_bug.cgi?id=1858 (which a colleague kindly pointed out to me). As far as I can tell, that patch does cure the problem, and will be in openssh 5.9. I think that the above patch ought to go into an updated SuSE 11.4 ssh package, if only so that 11.4's behaviour does not differ from both past and future versions (assuming that the future versions will use openssh 5.9). However, that is a decision for others. Incidently, I am not sure that I agree with you that HostbasedAuthentication should be reserved only to system accounts. I run 50+ "identical" machines with a hundred or so users, and I certainly want people to be able to move between machines readily. The old method involved hosts.equiv, and HostbasedAuthentication seems much better. However, for root I do not allow such access. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=671820 https://bugzilla.novell.com/show_bug.cgi?id=671820#c8 Rolf Krahl <rolf@rotkraut.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rolf@rotkraut.de --- Comment #8 from Rolf Krahl <rolf@rotkraut.de> 2012-02-05 16:45:59 UTC --- First of all, I can confirm that the bug is still present in openSUSE 12.1. While impatiently waiting for the fix in openssh 5.9 to find its way to the openSUSE end users, i'd like to suggest a work around. Its pretty obvious: since the cause is ssh-keysign not yet supporting ecdsa keys, one may simply fall back to using a rsa host key. Steps for the work around: 1. Disable using ecdsa host key at the server: uncomment the line | HostKey /etc/ssh/ssh_host_rsa_key in /etc/ssh/sshd_config and leave all other HostKey statements commented out. 2. Create the rsa key: $ ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N '' 3. Restart the ssh server: $ rcsshd restart 3. Distribute the public key in /etc/ssh/ssh_host_rsa_key.pub to the ssh_known_hosts files at the clients. 4. Enjoy working host based authentication. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com