bugzilla-daemon at mindrot.org
2003-Sep-18 18:20 UTC
[Bug 684] ssh cannot access keys stored in agent
http://bugzilla.mindrot.org/show_bug.cgi?id=684 Summary: ssh cannot access keys stored in agent Product: Portable OpenSSH Version: 3.7.1p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: ssh AssignedTo: openssh-bugs at mindrot.org ReportedBy: philipp at open.ch It seems the ssh command in 3.7.1p1 can no longer access SSH keys stored in the ssh-agent. The exact same configuration has worked in 3.6.1p2 and any previous version. When connecting to a host, the key-passphrase is always requested, even when the key was previously added to the agent. Other observations: - this is a client only issue. - authentication works for user root, but not for normal users - ssh-keysign is setuid root and is enabled in ssh_config - I can reproduce this on all hosts running OpenSSH 3.7.1p1 $ ssh-agent bash $ ssh-add /home/phk/.ssh/id_dsa $ ssh -vvv myhost [...] debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/phk/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-dss blen 433 debug2: input_userauth_pk_ok: fp a1:04:99:61:03:22:7e:79:20:fd:57:57:2c:7c:a8:98 debug3: sign_and_send_pubkey debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type <unknown> Enter passphrase for key '/home/phk/.ssh/id_dsa': ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-19 17:38 UTC
[Bug 684] ssh cannot access keys stored in agent
http://bugzilla.mindrot.org/show_bug.cgi?id=684 mdelan at computer.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mdelan at computer.org ------- Additional Comments From mdelan at computer.org 2003-09-20 03:38 ------- It seems that the problem isn't that ssh can't use the agent, but rather that it's trying to use the keys listed in ssh_config directly first, then falling back to the keys in the agent. Hitting enter at the passphrase prompt enough times to cycle through the valid ssh_config listed keys causes the login to succeed. If there are no valid keys listed in ssh_config, but there are keys in the agent we get the expected behavior. It's as though ssh is trying keys in the exact opposite order it's supposed to. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-19 19:12 UTC
[Bug 684] ssh cannot access keys stored in agent
http://bugzilla.mindrot.org/show_bug.cgi?id=684 philipp at open.ch changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|major |normal ------- Additional Comments From philipp at open.ch 2003-09-20 05:12 ------- Hm, you're right. In my local client configuration $HOME/.ssh/config, I have keys defined like this: IdentityFile ~/.ssh/id_dsa IdentityFile ~/.ssh/identity These are the same entries I have in the global ssh_config. When I comment out the lines above in $HOME/.ssh/config authentication works fine. Now, here's the interesting part: if *both* config files ($HOME/.ssh/config and ssh_config) list the IdentityFile lines involving a "~" as a placeholder for $HOME, I get the effect with the passphrase request. If one of the files refers to the IdentityFile using "$HOME" for the homedirectory, such as IdentityFile $HOME/.ssh/id_dsa IdentityFile $HOME/.ssh/identity it works fine. It may be as simple as to say: Don't use tilde as a placeholder for $HOME in the 3.7.1p1 config files anymore? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-20 12:15 UTC
[Bug 684] ssh cannot access keys stored in agent
http://bugzilla.mindrot.org/show_bug.cgi?id=684 ------- Additional Comments From mdelan at computer.org 2003-09-20 22:15 ------- Created an attachment (id=440) --> (http://bugzilla.mindrot.org/attachment.cgi?id=440&action=view) patch to remove duplicate identity file keys ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-20 13:17 UTC
[Bug 684] ssh cannot access keys stored in agent
http://bugzilla.mindrot.org/show_bug.cgi?id=684 ------- Additional Comments From mdelan at computer.org 2003-09-20 23:17 ------- Actually, it's $HOME that isn't expanding, not ~: debug2: key: /home/mdelan/.ssh/id_rsa (65630) debug2: key: $HOME/.ssh/identity (0) debug2: key: $HOME/.ssh/id_rsa (0) debug2: key: $HOME/.ssh/id_dsa (0) debug2: key: /home/mdelan/.ssh/identity (0) debug2: key: /home/mdelan/.ssh/id_dsa (0) The real problem is that if the same key is loaded more than once through IdentityFile statements, either because different listed files contain the same key, or the same file has been listed more than once (e.g. global and user ssh_config files contain the same IdentityFile statements), and that key also exists in the agent, then we end up with multiple copies of that key in the authctx list - one tagged as being an agent key, the other(s) not. userauth_pubkey() does offer the public key for the copy in the agent first, but due to the way it manipulates the authctx list, when input_userauth_pk_ok() goes to do the private key side of the exchange, it finds one of the non-agent copies first and uses that - hence the passphrase prompt. The patch in attachment #440 is a fairly quick hack to eliminate duplicate keys obtained from IdentityFiles during the setup phase of pubkey_prepare(), prior to the routine that orders the identities. Just checking for extra duplicates of agent keys in the next loop down might be a slicker solution, but at the moment, I can't quite figure out how to manipulate the TAILQ_* macros correctly to do that. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-20 14:36 UTC
[Bug 684] ssh cannot access keys stored in agent
http://bugzilla.mindrot.org/show_bug.cgi?id=684 ------- Additional Comments From markus at openbsd.org 2003-09-21 00:36 ------- this should work, but i don't know how portable TAILQ_FOREACH_REVERSE IS: Index: sshconnect2.c ==================================================================RCS file: /cvs/src/usr.bin/ssh/sshconnect2.c,v retrieving revision 1.124 diff -u -r1.124 sshconnect2.c --- sshconnect2.c 25 Aug 2003 10:33:33 -0000 1.124 +++ sshconnect2.c 20 Sep 2003 14:25:30 -0000 @@ -445,7 +445,7 @@ debug2("input_userauth_pk_ok: fp %s", fp); xfree(fp); - TAILQ_FOREACH(id, &authctxt->keys, next) { + TAILQ_FOREACH_REVERSE(id, &authctxt->keys, next, idlist) { if (key_equal(key, id->key)) { sent = sign_and_send_pubkey(authctxt, id); break; folly% #define TAILQ_FOREACH_REVERSE(var, head, field, headname) \ for((var) = TAILQ_LAST(head, headname); \ (var) != TAILQ_END(head); \ (var) = TAILQ_PREV(var, headname, field)) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-20 16:03 UTC
[Bug 684] ssh cannot access keys stored in agent
http://bugzilla.mindrot.org/show_bug.cgi?id=684 ------- Additional Comments From philipp at open.ch 2003-09-21 02:03 ------- I have applied Mike's patch (#440) and it works great, thanks a lot! Your explanation about the duplicate keys makes perfect sense. Until you have found the most suitable solution to put into the next OpenSSH version, I will run with the patch for now and forget about the $HOME and tilde stuff. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-21 02:02 UTC
[Bug 684] ssh cannot access keys stored in agent
http://bugzilla.mindrot.org/show_bug.cgi?id=684 ------- Additional Comments From mdelan at computer.org 2003-09-21 12:02 ------- Markus's patch also works - tested on Solaris & Linux. His is probably the cleaner fix. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-22 00:01 UTC
[Bug 684] ssh cannot access keys stored in agent
http://bugzilla.mindrot.org/show_bug.cgi?id=684 mdelan at computer.org changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #440 is|0 |1 obsolete| | ------- Additional Comments From mdelan at computer.org 2003-09-22 10:01 ------- Created an attachment (id=441) --> (http://bugzilla.mindrot.org/attachment.cgi?id=441&action=view) patch to test that identity has been offered On further reflection, aside from Markus's concern about the portability of TAILQ_FOREACH_REVERSE, I see another problem with that fix: it's still assuming a particular order of &authctxt->keys. Some future change to the way userauth_pubkey() manipulates that list could re-introduce the bug. Checking that id->tried is set for the identity in addition to key_equal() within the loop seems the more robust solution. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-22 00:08 UTC
[Bug 684] ssh cannot access keys stored in agent
http://bugzilla.mindrot.org/show_bug.cgi?id=684 ------- Additional Comments From djm at mindrot.org 2003-09-22 10:08 ------- We don't need to worry about the portability of TAILQ_FOREACH_REVERSE. For portable OpenSSH we always use a local copy of OpenBSD's sys/queue.h (and sys/tree.h too). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Oct-10 11:14 UTC
[Bug 684] ssh cannot access keys stored in agent
http://bugzilla.mindrot.org/show_bug.cgi?id=684 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Oct-15 07:54 UTC
[Bug 684] ssh cannot access keys stored in agent
http://bugzilla.mindrot.org/show_bug.cgi?id=684 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2003-10-15 17:54 ------- Fixed in OpenBSD and Portable (HEAD and 3.7): - markus at cvs.openbsd.org 2003/10/11 08:26:43 [sshconnect2.c] search keys in reverse order; fixes #684 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Maybe Matching Threads
- [PATCH] ssh: Add option to present certificates on command line
- [Bug 1981] New: Trying to use ssh with a missing identity file gives no warnings
- IdentityFile vs IdentitiesOnly
- Configure option '--with-ssh1' breaks openssh-7.3p1
- [Bug 2084] New: "no such identity" error messages.