openssh bugs - Nov 2014 - [Bug 2305] New: sshd does not accept @cert-authority when doing host based authentication.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

            Bug ID: 2305
           Summary: sshd does not accept @cert-authority when doing host
                    based authentication.
           Product: Portable OpenSSH
           Version: 6.5p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: peter at pean.org

Created attachment 2503
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2503&action=edit
sshd_config same on both machines.

When doing host based authentication using signed host keys you need to
have the connecting host in /etc/ssh/ssh_known_hosts. @cert-authority
is not enough. 

When running sshd in debug-mode it seems it first accepts the cert with
CA. but then requires the actual host to be in ssh_known_hosts anyway.

Hm only one attachment?
the ssh_known_hosts has only one line looking something like:

@cert-authority * ssh-rsa AAAA....

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

Iain Morgan <imorgan at nas.nasa.gov> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |imorgan at nas.nasa.gov

--- Comment #1 from Iain Morgan <imorgan at nas.nasa.gov> ---
Peter, could you attach the complete sshd -ddd from a session
demonstrating this problem?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

--- Comment #2 from Peter <peter at pean.org> ---
Created attachment 2507
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2507&action=edit
sshd -ddd

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

--- Comment #3 from Peter <peter at pean.org> ---
Created attachment 2508
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2508&action=edit
ssh -vvv

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

--- Comment #4 from Peter <peter at pean.org> ---
Like I said before, as far as I can see the problem is here:

https://github.com/openssh/openssh-portable/blob/master/auth2-hostbased.c#L189-L222

--
    host_status = check_key_in_hostfiles(pw, key, lookup,
        _PATH_SSH_SYSTEM_HOSTFILE,
        options.ignore_user_known_hosts ? NULL :
_PATH_SSH_USER_HOSTFILE);
--

This block does not take in to account the possibility that the hostkey
can be a certificate while code surrounding it does.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

--- Comment #5 from Iain Morgan <imorgan at nas.nasa.gov> ---
No, that block is correct. That is where the search for the
@cert-authority entry occurs.That is how load_hostkeys() gets called,
which does find the @cert-authority entry.
>From the sshd -ddd output, the certificate passes the basic tests
(certificate type, validity period, principals) and an applicable CA
entry is found. However, the certificate ends up being rejected. That
could be a mismatch between the key used to sign the certificate and
the
entry in the ssh_known_hosts file.

What do you get for the output of ssh-keygen -Lf on your certificate
and
does the fingerprint for the signing CA match the fingerprint for the
@cert-authority entry?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

--- Comment #6 from Iain Morgan <imorgan at nas.nasa.gov> ---
Looking at the debug output more closely, it looks like the client is
not attempting to use any certificates. The server logs just three
hostbased authentication attempts, and the 'Failed hostbased' messages
all indicate that these were plain keys.

As an aside, it probably isn't a good idea to create certificates for
all the supported key types. In most cases, just one (or perhaps two)
certificates should be sufficient. Since hostbased will try all host
keys and certificates until it succeeds, you could easily exhaust the
allowed number of authentication attempts if the ssh_known_hosts or
shosts.equiv files are misconfigured.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

--- Comment #7 from Peter <peter at pean.org> ---
Hm, but it uses the cert to validate the autheticity of the server
(which works). Is my sshd misconfigured in some way?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

--- Comment #8 from Peter <peter at pean.org> ---
It it the certs it is using:

Nov 16 22:55:02 m3 sshd[63451]: Failed hostbased for petera from port
53372 ssh2: DSA bf:c3:bf:01:c2:fd:98:9e:3f:98:00:bd:84:08:ce:eb, client
user "petera", client host "m4"
Nov 16 22:55:02 m3 sshd[63451]: Failed hostbased for petera from port
53372 ssh2: ECDSA fd:59:de:a9:0f:47:bb:89:79:46:57:10:4c:ba:fe:8b,
client user "petera", client host "m4"
Nov 16 22:55:02 m3 sshd[63451]: Failed hostbased for petera from port
53372 ssh2: RSA 37:9b:5a:34:02:27:32:8f:03:f8:c3:b1:0b:be:d0:2e, client
user "petera", client host "m4"

---


ssh_host_dsa_key-cert.pub:
        Type: ssh-dss-cert-v01 at openssh.com host certificate
        Public key: DSA-CERT
bf:c3:bf:01:c2:fd:98:9e:3f:98:00:bd:84:08:ce:eb
        Signing CA: RSA 47:94:00:4c:dc:65:0c:c5:72:87:a1:04:a6:53:42:4a

ssh_host_ecdsa_key-cert.pub:
        Type: ecdsa-sha2-nistp256-cert-v01 at openssh.com host certificate
        Public key: ECDSA-CERT
fd:59:de:a9:0f:47:bb:89:79:46:57:10:4c:ba:fe:8b
        Signing CA: RSA 47:94:00:4c:dc:65:0c:c5:72:87:a1:04:a6:53:42:4a

ssh_host_rsa_key-cert.pub:
        Type: ssh-rsa-cert-v01 at openssh.com host certificate
        Public key: RSA-CERT
37:9b:5a:34:02:27:32:8f:03:f8:c3:b1:0b:be:d0:2e
        Signing CA: RSA 47:94:00:4c:dc:65:0c:c5:72:87:a1:04:a6:53:42:4a

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

--- Comment #9 from Peter <peter at pean.org> ---
Ok. I will apologize now. The problem was that the cert files was not
world readable on the client machine...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

--- Comment #10 from Iain Morgan <imorgan at nas.nasa.gov> ---
It would probably be helpful to add some debug output in the client to
indicate which keys are being tried. Currently, it just indicates that
it tried hostbased authentication, but doesn't indicate which key or
cert was used. I'll look into that.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

--- Comment #11 from Iain Morgan <imorgan at nas.nasa.gov> ---
Created attachment 2509
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2509&action=edit
Show which hostkey is used by the client

Add a debug() statement to reveal which hostkey is being used in
userauth_hostbased(). More precisely, indicate the key type rather than
the actual filename. The patch is against -current.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

Iain Morgan <imorgan at nas.nasa.gov> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2509|0                           |1
        is obsolete|                            |

--- Comment #12 from Iain Morgan <imorgan at nas.nasa.gov> ---
Created attachment 2510
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2510&action=edit
Tweak previous patch

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #13 from Damien Miller <djm at mindrot.org> ---
Patch applied to -current

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

--- Comment #14 from Damien Miller <djm at mindrot.org> ---
I just configured a hostbased authentication setup with certificates
and found that it worked fine. Your problem is probably this:
> debug2: userauth_hostbased: chost m4..
Your host seems to think that it's name is "m4.", probably because
of a
misconfigured /etc/hosts.

Hostbased authentication is pretty sensitive to this and the logging at
both ends is pretty terrible. I'll look at improving it.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

--- Comment #15 from Peter <peter at pean.org> ---
Hi! Please look at my comment #9. Sorry.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #16 from Damien Miller <djm at mindrot.org> ---
ok; I've added some more debugging that might help future cases.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #17 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.