bugzilla-daemon at mindrot.org
2014-Nov-05 07:45 UTC
[Bug 2305] New: sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 Bug ID: 2305 Summary: sshd does not accept @cert-authority when doing host based authentication. Product: Portable OpenSSH Version: 6.5p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: peter at pean.org Created attachment 2503 --> https://bugzilla.mindrot.org/attachment.cgi?id=2503&action=edit sshd_config same on both machines. When doing host based authentication using signed host keys you need to have the connecting host in /etc/ssh/ssh_known_hosts. @cert-authority is not enough. When running sshd in debug-mode it seems it first accepts the cert with CA. but then requires the actual host to be in ssh_known_hosts anyway. Hm only one attachment? the ssh_known_hosts has only one line looking something like: @cert-authority * ssh-rsa AAAA.... -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-15 00:19 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 Iain Morgan <imorgan at nas.nasa.gov> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |imorgan at nas.nasa.gov --- Comment #1 from Iain Morgan <imorgan at nas.nasa.gov> --- Peter, could you attach the complete sshd -ddd from a session demonstrating this problem? -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-15 11:27 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 --- Comment #2 from Peter <peter at pean.org> --- Created attachment 2507 --> https://bugzilla.mindrot.org/attachment.cgi?id=2507&action=edit sshd -ddd -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-15 11:28 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 --- Comment #3 from Peter <peter at pean.org> --- Created attachment 2508 --> https://bugzilla.mindrot.org/attachment.cgi?id=2508&action=edit ssh -vvv -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-15 11:54 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 --- Comment #4 from Peter <peter at pean.org> --- Like I said before, as far as I can see the problem is here: https://github.com/openssh/openssh-portable/blob/master/auth2-hostbased.c#L189-L222 -- host_status = check_key_in_hostfiles(pw, key, lookup, _PATH_SSH_SYSTEM_HOSTFILE, options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); -- This block does not take in to account the possibility that the hostkey can be a certificate while code surrounding it does. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-16 01:32 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 --- Comment #5 from Iain Morgan <imorgan at nas.nasa.gov> --- No, that block is correct. That is where the search for the @cert-authority entry occurs.That is how load_hostkeys() gets called, which does find the @cert-authority entry.>From the sshd -ddd output, the certificate passes the basic tests(certificate type, validity period, principals) and an applicable CA entry is found. However, the certificate ends up being rejected. That could be a mismatch between the key used to sign the certificate and the entry in the ssh_known_hosts file. What do you get for the output of ssh-keygen -Lf on your certificate and does the fingerprint for the signing CA match the fingerprint for the @cert-authority entry? -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-16 07:17 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 --- Comment #6 from Iain Morgan <imorgan at nas.nasa.gov> --- Looking at the debug output more closely, it looks like the client is not attempting to use any certificates. The server logs just three hostbased authentication attempts, and the 'Failed hostbased' messages all indicate that these were plain keys. As an aside, it probably isn't a good idea to create certificates for all the supported key types. In most cases, just one (or perhaps two) certificates should be sufficient. Since hostbased will try all host keys and certificates until it succeeds, you could easily exhaust the allowed number of authentication attempts if the ssh_known_hosts or shosts.equiv files are misconfigured. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-16 07:50 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 --- Comment #7 from Peter <peter at pean.org> --- Hm, but it uses the cert to validate the autheticity of the server (which works). Is my sshd misconfigured in some way? -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-16 22:00 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 --- Comment #8 from Peter <peter at pean.org> --- It it the certs it is using: Nov 16 22:55:02 m3 sshd[63451]: Failed hostbased for petera from port 53372 ssh2: DSA bf:c3:bf:01:c2:fd:98:9e:3f:98:00:bd:84:08:ce:eb, client user "petera", client host "m4" Nov 16 22:55:02 m3 sshd[63451]: Failed hostbased for petera from port 53372 ssh2: ECDSA fd:59:de:a9:0f:47:bb:89:79:46:57:10:4c:ba:fe:8b, client user "petera", client host "m4" Nov 16 22:55:02 m3 sshd[63451]: Failed hostbased for petera from port 53372 ssh2: RSA 37:9b:5a:34:02:27:32:8f:03:f8:c3:b1:0b:be:d0:2e, client user "petera", client host "m4" --- ssh_host_dsa_key-cert.pub: Type: ssh-dss-cert-v01 at openssh.com host certificate Public key: DSA-CERT bf:c3:bf:01:c2:fd:98:9e:3f:98:00:bd:84:08:ce:eb Signing CA: RSA 47:94:00:4c:dc:65:0c:c5:72:87:a1:04:a6:53:42:4a ssh_host_ecdsa_key-cert.pub: Type: ecdsa-sha2-nistp256-cert-v01 at openssh.com host certificate Public key: ECDSA-CERT fd:59:de:a9:0f:47:bb:89:79:46:57:10:4c:ba:fe:8b Signing CA: RSA 47:94:00:4c:dc:65:0c:c5:72:87:a1:04:a6:53:42:4a ssh_host_rsa_key-cert.pub: Type: ssh-rsa-cert-v01 at openssh.com host certificate Public key: RSA-CERT 37:9b:5a:34:02:27:32:8f:03:f8:c3:b1:0b:be:d0:2e Signing CA: RSA 47:94:00:4c:dc:65:0c:c5:72:87:a1:04:a6:53:42:4a -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-16 22:03 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 --- Comment #9 from Peter <peter at pean.org> --- Ok. I will apologize now. The problem was that the cert files was not world readable on the client machine... -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-16 23:34 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 --- Comment #10 from Iain Morgan <imorgan at nas.nasa.gov> --- It would probably be helpful to add some debug output in the client to indicate which keys are being tried. Currently, it just indicates that it tried hostbased authentication, but doesn't indicate which key or cert was used. I'll look into that. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-17 22:32 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 --- Comment #11 from Iain Morgan <imorgan at nas.nasa.gov> --- Created attachment 2509 --> https://bugzilla.mindrot.org/attachment.cgi?id=2509&action=edit Show which hostkey is used by the client Add a debug() statement to reveal which hostkey is being used in userauth_hostbased(). More precisely, indicate the key type rather than the actual filename. The patch is against -current. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-18 19:44 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 Iain Morgan <imorgan at nas.nasa.gov> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2509|0 |1 is obsolete| | --- Comment #12 from Iain Morgan <imorgan at nas.nasa.gov> --- Created attachment 2510 --> https://bugzilla.mindrot.org/attachment.cgi?id=2510&action=edit Tweak previous patch -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Dec-11 05:13 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #13 from Damien Miller <djm at mindrot.org> --- Patch applied to -current -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Dec-23 13:10 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 --- Comment #14 from Damien Miller <djm at mindrot.org> --- I just configured a hostbased authentication setup with certificates and found that it worked fine. Your problem is probably this:> debug2: userauth_hostbased: chost m4..Your host seems to think that it's name is "m4.", probably because of a misconfigured /etc/hosts. Hostbased authentication is pretty sensitive to this and the logging at both ends is pretty terrible. I'll look at improving it. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Dec-23 14:19 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 --- Comment #15 from Peter <peter at pean.org> --- Hi! Please look at my comment #9. Sorry. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Dec-23 22:43 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #16 from Damien Miller <djm at mindrot.org> --- ok; I've added some more debugging that might help future cases. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Aug-11 13:04 UTC
[Bug 2305] sshd does not accept @cert-authority when doing host based authentication.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #17 from Damien Miller <djm at mindrot.org> --- Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 2211] New: Too many hostbased authentication attempts
- hostbase authentication of hostcertificate
- [Bug 1745] New: Matching @cert-authority entries when using unqualified hostnames
- [Bug 1039] Incomplete application of HostKeyAlias in ssh
- FYI: SSH1 now disabled at compile-time by default