bugzilla-daemon at mindrot.org
2014-Apr-16 12:04 UTC
[Bug 2229] New: ssh adds and offers private key twice in certain constellations
https://bugzilla.mindrot.org/show_bug.cgi?id=2229
Bug ID: 2229
Summary: ssh adds and offers private key twice in certain
constellations
Product: Portable OpenSSH
Version: 6.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: m.bunkus at linet-services.de
My ssh offers one and the same private key twice if I connect to a host
which has a HostName entry in ssh's config. Using this stripped-down
configuration:
Host *
IdentityFile ~/.ssh/key-mbunkus
IdentitiesOnly yes
Host renegade renegade.bs.linet-services.de
User grpadmin
HostName renegade.bs.linet-services.de
Then I run ssh:
[0 mbunkus at chai-latte ~] ssh -F ~/.ssh/conf2 -a -v renegade
OpenSSH_6.6, OpenSSL 1.0.1g 7 Apr 2014
debug1: Reading configuration data /home/mbunkus/.ssh/conf2
debug1: /home/mbunkus/.ssh/conf2 line 1: Applying options for *
debug1: /home/mbunkus/.ssh/conf2 line 5: Applying options for renegade
debug1: Hostname has changed; re-reading configuration
debug1: Reading configuration data /home/mbunkus/.ssh/conf2
debug1: /home/mbunkus/.ssh/conf2 line 1: Applying options for *
debug1: /home/mbunkus/.ssh/conf2 line 5: Applying options for
renegade.bs.linet-services.de
debug1: Connecting to renegade.bs.linet-services.de [10.199.93.23] port
22.
debug1: Connection established.
debug1: identity file /home/mbunkus/.ssh/key-mbunkus type 2
debug1: identity file /home/mbunkus/.ssh/key-mbunkus-cert type -1
debug1: identity file /home/mbunkus/.ssh/key-mbunkus type 2
debug1: identity file /home/mbunkus/.ssh/key-mbunkus-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6
debug1: Remote protocol version 1.99, remote software version
OpenSSH_5.0 NetBSD_Secure_Shell-20080403+-hpn13v1
debug1: match: OpenSSH_5.0 NetBSD_Secure_Shell-20080403+-hpn13v1 pat
OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA
bd:3c:29:b5:18:53:e3:c0:d7:b1:a5:4f:bb:eb:d7:db
debug1: Host 'renegade.bs.linet-services.de' is known and matches the
RSA host key.
debug1: Found key in /home/mbunkus/.ssh/known_hosts:961
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/mbunkus/.ssh/key-mbunkus
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Offering DSA public key: /home/mbunkus/.ssh/key-mbunkus
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
grpadmin at renegade.bs.linet-services.de's password:
In my real-life configuration I actually have three identities listed.
If each is used twice then this easily exhausts the number of tries,
and I cannot try password authentication if the server only allows six
tries.
This does not happen if the perceived/final host name equals the one
given on the command line. Meaning "ssh -F ~/.ssh/conf2 -a -v
renegade.bs.linet-services.de" is OK and looks like this:
[0 mbunkus at chai-latte ~] ssh -F ~/.ssh/conf2 -a -v
renegade.bs.linet-services.de
OpenSSH_6.6, OpenSSL 1.0.1g 7 Apr 2014
debug1: Reading configuration data /home/mbunkus/.ssh/conf2
debug1: /home/mbunkus/.ssh/conf2 line 1: Applying options for *
debug1: /home/mbunkus/.ssh/conf2 line 5: Applying options for
renegade.bs.linet-services.de
debug1: Connecting to renegade.bs.linet-services.de [10.199.93.23] port
22.
debug1: Connection established.
debug1: identity file /home/mbunkus/.ssh/key-mbunkus type 2
debug1: identity file /home/mbunkus/.ssh/key-mbunkus-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6
debug1: Remote protocol version 1.99, remote software version
OpenSSH_5.0 NetBSD_Secure_Shell-20080403+-hpn13v1
debug1: match: OpenSSH_5.0 NetBSD_Secure_Shell-20080403+-hpn13v1 pat
OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA
bd:3c:29:b5:18:53:e3:c0:d7:b1:a5:4f:bb:eb:d7:db
debug1: Host 'renegade.bs.linet-services.de' is known and matches the
RSA host key.
debug1: Found key in /home/mbunkus/.ssh/known_hosts:961
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/mbunkus/.ssh/key-mbunkus
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
grpadmin at renegade.bs.linet-services.de's password:
Note that the SSH agent is not in use: I've explicitly "unset
SSH_AGENT_PID" before doing these tests.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Apr-16 12:29 UTC
[Bug 2229] ssh adds and offers private key twice in certain constellations
https://bugzilla.mindrot.org/show_bug.cgi?id=2229 --- Comment #1 from Moritz Bunkus <m.bunkus at linet-services.de> --- ?and I meant SSH_AUTH_SOCK instead of SSH_AGENT_PID. Sorry for that. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Apr-16 23:32 UTC
[Bug 2229] ssh adds and offers private key twice in certain constellations
https://bugzilla.mindrot.org/show_bug.cgi?id=2229
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2426| |ok?(dtucker at zip.com.au)
Flags| |
CC| |djm at mindrot.org,
| |dtucker at zip.com.au
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 2426
--> https://bugzilla.mindrot.org/attachment.cgi?id=2426&action=edit
avoid adding identity files twice
This is fallout from the configuration reparsing changes in 6.6p1.
We should probably avoid adding identities that are already in the list
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Apr-16 23:33 UTC
[Bug 2229] ssh adds and offers private key twice in certain constellations
https://bugzilla.mindrot.org/show_bug.cgi?id=2229
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2226
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Apr-25 00:26 UTC
[Bug 2229] ssh adds and offers private key twice in certain constellations
https://bugzilla.mindrot.org/show_bug.cgi?id=2229
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Committed; will be in OpenSSH-6.7
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Oct-07 21:00 UTC
[Bug 2229] ssh adds and offers private key twice in certain constellations
https://bugzilla.mindrot.org/show_bug.cgi?id=2229
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Close all bugs left open from 6.6 and 6.7 releases.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Jan-13 02:38 UTC
[Bug 2229] ssh adds and offers private key twice in certain constellations
https://bugzilla.mindrot.org/show_bug.cgi?id=2229
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2426|ok?(dtucker at dtucker.net) |
Flags| |
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.