openssh bugs - Apr 2013 - [Bug 2095] New: ssh client not respecting IdentitiesOnly=yes option

https://bugzilla.mindrot.org/show_bug.cgi?id=2095

            Bug ID: 2095
           Summary: ssh client not respecting IdentitiesOnly=yes option
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.2p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: christian.boitel at gmail.com

Created attachment 2253
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2253&action=edit
Fixes pubkey_create function to correctly take in account the
identities_only option

Hi all,

One of our user reported us a somewhat strange problem described below:
1/ Try to use ssh client to connect to a remote machine using an
invalid identity file: as expected it is rejected.

Example: 
ssh -o BatchMode=yes -o IdentitiesOnly=yes -i /etc/hosts remote
Permission denied (publickey,password,keyboard-interactive).
2/ Use your public (not private) key instead of a valid identity file:
it works ! Yes, you are dreaming: it looks like the user was able to
connect using a public key.

Example:
ssh -o BatchMode=yes -o IdentitiesOnly=yes -i ~/.ssh/id_rsa.pub remote
Last login: Tue Apr 30 18:06:13 2013 on /dev/pts/16 from a.b.c.d

We tested on multiple OS (AIX, Linux, Windows/cygwin) and all ssh
client (of different versions) reported the same behaviour. Downloaded
the latest 6.2p1, recompiled it and found the latest version still
exhibited this issue.

Further investigations finally have shown that user was authenticated
through its ssh agent keys even though it was requested not to use them
(IdentitiesOnly option). Unsetting SSH_AUTH prior to calling ssh would
make it to prove it.

Since i had downloaded and recompiled the 6.2p1 code, i looked at the
source code and found the issue was likely in pubkey_prepare inside
sshconnect2.c in which identities_only option is tested a bit too late.
I provided a unified diff as a suggested patch to this issue.

Detail about the problem/patch for pubkey_prepare function:
- at one point, pubkey_prepare checks if an agent is available 
  and loops through agent provided keys
- foreach agent keys, it tests them against config file provided keys: 
  * if found, agent key is directly added to the preferred agent key
    list and will therefore be used
  * if not found, agent key is added to an agent key list only if 
    identities_only option isn't set.
- pb in our case is that config file vs agent keys test works
  and agent keys are added in preferred key list (and later used) 
  before we get to test identities_only option 

My patch simply tests as early as possible the identities_only option
and prevents from looping though agent keys that we should never be
using if option is set (as said in the man page extract below).

Extract from ssh_config man page
    IdentitiesOnly
    Specifies that ssh(1) should only use the authentication identity
    files configured in the ssh_config files, even if ssh-agent(1) or
    a PKCS11Provider offers more identities.  The argument to this
    keyword must be ?yes? or ?no?.  This option is intended for situ?
    ations where ssh-agent offers many different identities.  The
    default is ?no?.

Hope it helps !

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2095

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
IdentitiesOnly doesn't disable the agent, it's intended to allow
_selection_ of which keys from an agent are used.

Using the public key to select which agent key is offered is perfectly
valid; indeed it is exactly what this option is intended for.

If you don't want to use the agent at all, then unset SSH_AUTH_SOCK.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2095

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2095

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.