openssh bugs - May 2004 - [Bug 872] SSH client fails for non-root users with "Host key verification failed"

http://bugzilla.mindrot.org/show_bug.cgi?id=872

           Summary: SSH client fails for non-root users with "Host key
                    verification failed"
           Product: Portable OpenSSH
           Version: 3.8.1p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: ssh
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: bugzilla.mindrot.org at foxtail.org


Attempting to open an ssh session to any remote host fails when attempted by a
non-root user.  The error message is 

ssh_askpass: exec(/usr/lib/misc/ssh-askpass): No such file or directory
Host key verification failed.

Yes, ssh-askpass is not installed as the client system is not running X.  When
the root user executes the same command (ssh remoteuser at remotehost) the ssh
client displays the password prompt on stdout, accepts the password on stdin,
and opens the session successfully.  I've seen evidence that others are
encountering this problem: 

http://www.derkeiler.com/Mailing-Lists/securityfocus/Secure_Shell/2003-11/0016.html
 
 and 
http://lists.debian.org/debian-ssh/2004/04/msg00058.html



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=872





------- Additional Comments From mouring at eviladmin.org  2004-05-24 05:26
-------
I would check to see if you have "SSH_ASKPASS" and "DISPLAY"
are set.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=872





------- Additional Comments From bugzilla.mindrot.org at foxtail.org  2004-05-24
06:16 -------
The "Host key verification failed" message persists even after DISPLAY
is unset.
 Here's a transcript of a session showing the error messages with and
without
DISPLAY set, and a successful Password: prompt when run as root.  (I can attach
output of ssh -vvv if it would be helpful)

Script started on Sun May 23 13:05:27 2004
[MY_USERNAME at epic] ~ [501]$ echo $DISPLAY

[MY_USERNAME at epic] ~ [502]$ echo $SSH_ASKPASS

[MY_USERNAME at epic] ~ [503]$ ssh grace.speakeasy.net
Host key verification failed.
[MY_USERNAME at epic] ~ [504]$ DISPLAY=:0 ssh grace.speakeasy.net
ssh_askpass: exec(/usr/lib/misc/ssh-askpass): No such file or directory
Host key verification failed.
[MY_USERNAME at epic] ~ [505]$ su
Password: 
[root at epic] /home/MY_USERNAME [500]$ echo $DISPLAY

[root at epic] /home/MY_USERNAME [501]$ echo $ASKPASS

[root at epic] /home/MY_USERNAME [502]$ ssh MY_USERNAME at grace.speakeasy.net
Password: 
[root at epic] /home/MY_USERNAME [503]$ exit
[MY_USERNAME at epic] ~ [506]$ 
Script done on Sun May 23 13:06:24 2004



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=872





------- Additional Comments From mouring at eviladmin.org  2004-05-24 06:43
-------
Sounds like you have a bad .ssh/known_hosts entry.  Compare the entry with that
of roots.  I suspect
you'll find them to be different.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=872





------- Additional Comments From bugzilla.mindrot.org at foxtail.org  2004-05-24
08:23 -------
Negative, there is no ~/.ssh/known_hosts file at all.  I confirmed that it
applies to all nonroot accounts by creating a new user and trying to ssh as that
new user -- same thing.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=872





------- Additional Comments From dtucker at zip.com.au  2004-05-24 09:10 -------
Does /dev/tty exist and does it have the correct permissions?
$ ls -l /dev/tty
crw-rw-rw-    1 root     root       5,   0 May 12 13:29 /dev/tty




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=872





------- Additional Comments From bugzilla.mindrot.org at foxtail.org  2004-05-24
13:27 -------
/dev/tty is mode 660 rather than 666 as shown below:

[root at epic] ~ [504]$ ls -l /dev/tty
crw-rw----  1 root root 5, 0 Dec 31  1969 /dev/tty

Could the difference in permissions be a BSD vs. Linux issue?  I've never
changed any permissions in /dev so they were determined by the Gentoo
maintainers.  When I changed the permissions to 666 the problem was resolved,
however I'm curious if they were originally set to 660 for a good reason.

Also, a Google search using some keywords from the previous comment reveals that
this bug appears to be a duplicate of bug 471 for which a patch has been
submitted.  For now I've changed permissions on /dev/tty which has resolved
the
issue -- thanks to everyone for your assistance.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=872

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |DUPLICATE



------- Additional Comments From dtucker at zip.com.au  2004-05-24 13:36 -------
No, a mode 660 /dev/tty is not a BSD/Linux thing, it's just wrong, and if
Gentoo's installer makes it that way then it's buggy.

*** This bug has been marked as a duplicate of 471 ***



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.