bugzilla-daemon at mindrot.org
2004-May-23 19:19 UTC
[Bug 872] SSH client fails for non-root users with "Host key verification failed"
http://bugzilla.mindrot.org/show_bug.cgi?id=872 Summary: SSH client fails for non-root users with "Host key verification failed" Product: Portable OpenSSH Version: 3.8.1p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: ssh AssignedTo: openssh-bugs at mindrot.org ReportedBy: bugzilla.mindrot.org at foxtail.org Attempting to open an ssh session to any remote host fails when attempted by a non-root user. The error message is ssh_askpass: exec(/usr/lib/misc/ssh-askpass): No such file or directory Host key verification failed. Yes, ssh-askpass is not installed as the client system is not running X. When the root user executes the same command (ssh remoteuser at remotehost) the ssh client displays the password prompt on stdout, accepts the password on stdin, and opens the session successfully. I've seen evidence that others are encountering this problem: http://www.derkeiler.com/Mailing-Lists/securityfocus/Secure_Shell/2003-11/0016.html and http://lists.debian.org/debian-ssh/2004/04/msg00058.html ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-May-23 19:26 UTC
[Bug 872] SSH client fails for non-root users with "Host key verification failed"
http://bugzilla.mindrot.org/show_bug.cgi?id=872 ------- Additional Comments From mouring at eviladmin.org 2004-05-24 05:26 ------- I would check to see if you have "SSH_ASKPASS" and "DISPLAY" are set. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-May-23 20:16 UTC
[Bug 872] SSH client fails for non-root users with "Host key verification failed"
http://bugzilla.mindrot.org/show_bug.cgi?id=872 ------- Additional Comments From bugzilla.mindrot.org at foxtail.org 2004-05-24 06:16 ------- The "Host key verification failed" message persists even after DISPLAY is unset. Here's a transcript of a session showing the error messages with and without DISPLAY set, and a successful Password: prompt when run as root. (I can attach output of ssh -vvv if it would be helpful) Script started on Sun May 23 13:05:27 2004 [MY_USERNAME at epic] ~ [501]$ echo $DISPLAY [MY_USERNAME at epic] ~ [502]$ echo $SSH_ASKPASS [MY_USERNAME at epic] ~ [503]$ ssh grace.speakeasy.net Host key verification failed. [MY_USERNAME at epic] ~ [504]$ DISPLAY=:0 ssh grace.speakeasy.net ssh_askpass: exec(/usr/lib/misc/ssh-askpass): No such file or directory Host key verification failed. [MY_USERNAME at epic] ~ [505]$ su Password: [root at epic] /home/MY_USERNAME [500]$ echo $DISPLAY [root at epic] /home/MY_USERNAME [501]$ echo $ASKPASS [root at epic] /home/MY_USERNAME [502]$ ssh MY_USERNAME at grace.speakeasy.net Password: [root at epic] /home/MY_USERNAME [503]$ exit [MY_USERNAME at epic] ~ [506]$ Script done on Sun May 23 13:06:24 2004 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-May-23 20:44 UTC
[Bug 872] SSH client fails for non-root users with "Host key verification failed"
http://bugzilla.mindrot.org/show_bug.cgi?id=872 ------- Additional Comments From mouring at eviladmin.org 2004-05-24 06:43 ------- Sounds like you have a bad .ssh/known_hosts entry. Compare the entry with that of roots. I suspect you'll find them to be different. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-May-23 22:23 UTC
[Bug 872] SSH client fails for non-root users with "Host key verification failed"
http://bugzilla.mindrot.org/show_bug.cgi?id=872 ------- Additional Comments From bugzilla.mindrot.org at foxtail.org 2004-05-24 08:23 ------- Negative, there is no ~/.ssh/known_hosts file at all. I confirmed that it applies to all nonroot accounts by creating a new user and trying to ssh as that new user -- same thing. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-May-23 23:10 UTC
[Bug 872] SSH client fails for non-root users with "Host key verification failed"
http://bugzilla.mindrot.org/show_bug.cgi?id=872 ------- Additional Comments From dtucker at zip.com.au 2004-05-24 09:10 ------- Does /dev/tty exist and does it have the correct permissions? $ ls -l /dev/tty crw-rw-rw- 1 root root 5, 0 May 12 13:29 /dev/tty ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-May-24 03:27 UTC
[Bug 872] SSH client fails for non-root users with "Host key verification failed"
http://bugzilla.mindrot.org/show_bug.cgi?id=872 ------- Additional Comments From bugzilla.mindrot.org at foxtail.org 2004-05-24 13:27 ------- /dev/tty is mode 660 rather than 666 as shown below: [root at epic] ~ [504]$ ls -l /dev/tty crw-rw---- 1 root root 5, 0 Dec 31 1969 /dev/tty Could the difference in permissions be a BSD vs. Linux issue? I've never changed any permissions in /dev so they were determined by the Gentoo maintainers. When I changed the permissions to 666 the problem was resolved, however I'm curious if they were originally set to 660 for a good reason. Also, a Google search using some keywords from the previous comment reveals that this bug appears to be a duplicate of bug 471 for which a patch has been submitted. For now I've changed permissions on /dev/tty which has resolved the issue -- thanks to everyone for your assistance. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-May-24 03:36 UTC
[Bug 872] SSH client fails for non-root users with "Host key verification failed"
http://bugzilla.mindrot.org/show_bug.cgi?id=872 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From dtucker at zip.com.au 2004-05-24 13:36 ------- No, a mode 660 /dev/tty is not a BSD/Linux thing, it's just wrong, and if Gentoo's installer makes it that way then it's buggy. *** This bug has been marked as a duplicate of 471 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.