openssh bugs - Apr 2017 - [Bug 2709] New: Permission Error logged at Debug

https://bugzilla.mindrot.org/show_bug.cgi?id=2709

            Bug ID: 2709
           Summary: Permission Error logged at Debug
           Product: Portable OpenSSH
           Version: 7.2p2
          Hardware: 68k
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: clay.gerrard at gmail.com

Took me an extra few minutes to get my aws instance setup because the
error message I needed was logged at DEBUG instead instead of >INFO

https://github.com/openssh/openssh-portable/blob/2f2ffa4fbe4b671bbffa0611f15ba44cff64d58e/auth.c#L578

The users authorized_keys file was 700 and had the right key - but
owned by root :P

The client show'd it was trying the right private key, sshd in auth.log
just said:

Apr 14 19:02:49 ip-172-30-0-16 sshd[1638]: Connection closed by
38.140.31.130 port 59865 [preauth]

When I bumped the log level and restarted sshd it was obvious:

Apr 14 19:24:37 ip-172-30-0-16 sshd[2756]: debug1: Could not open
authorized keys '/home/clayg/.ssh/authorized_keys': Permission denied

<shrug>

Not complaining!  Very glad the log message was there at debug!

Thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2709

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at zip.com.au
   Attachment #2988|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 2988
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2988&action=edit
more manual text about debugging failed public key authentication

I don't think I want to change the loglevel from debug, because it is
IMO debugging information. We have a bit in the manual recommending
running ssh with -v or LogLevel elevated to debug authentication
problems, but I note that we don't repeat this in the AUTHENTICATION
section of the ssh(1) manual. This patch repeats the advice there.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2709

--- Comment #2 from Clay Gerrard <clay.gerrard at gmail.com> ---
You're probably right.  But please consider...

Unlike ENOENT - the permissions error is not really an expected normal
condition.  Consider when the permissions are *too* permissive:

Jun  2 16:05:44 localhost sshd[3343]: Authentication refused: bad
ownership or modes for file /home/ubuntu/.ssh/authorized_keys

Or this message when the file is a directory:

Jun  2 16:14:17 localhost sshd[3421]: User ubuntu authorized keys
/home/ubuntu/.ssh/authorized_keys is not a regular file

Where as when the user/owner is wrong (which causes an error trying to
read the file) - AFAICT there is no helpful/clarifying message printed
unless the log level is DEBUG.

Which is *fine* - but I think this EPERM is hardly something you would
expect to be any more unlikely/common than the file's mode, or it being
a non-regular file.

OTOH, if there was some more esoteric error reading the file.... well
that might be *very* interesting/noteworthy.

/me shrugs

Thanks for the response and suggested doc patch, very
helpful/responsive.  I appreciate your maintenance/service.  Thank you!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2709

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2988|ok?(dtucker at zip.com.au)     |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2709

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2698
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Unfortunately the mechanism used to transmit this information to the
client is a general transport-level debugging message. There's no way
to distinguish between something that the server is sending to indicate
an error condition and other debug messages.

Anyway, I've committed the manual bit.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2698
[Bug 2698] Tracking bug for OpenSSH 7.6 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2709

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.