bugzilla-daemon at mindrot.org
2022-Mar-14 13:44 UTC
[Bug 3406] New: RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded
https://bugzilla.mindrot.org/show_bug.cgi?id=3406
Bug ID: 3406
Summary: RSA key authentication doesn't work with enabled
GSSAPIKeyExchange: sign_and_send_pubkey: internal
error: initial hostkey not recorded
Product: Portable OpenSSH
Version: 8.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Kerberos support
Assignee: unassigned-bugs at mindrot.org
Reporter: robert.kulyassa at gmail.com
I've set up an openssh server to use GSSAPI authentication (too), it
all worked last week, I was able to login with password, ssh key or
kerberos ticket, all the 3 worked fine. Today I updated the ssh server
(8.8p1 -> 8.9p1), the kerberos and password auth still work, but when I
try to use key authentication I get this:
sign_and_send_pubkey: internal error: initial hostkey not recorded
If I disable the GSSAPIKeyExchange then it works again (kerberos and
password auth works in both case).
The environment:
client and server side are almost the same, Ubuntu 22.04 client and
server:
openssh version: 8.9p1 (and earlier when it worked: 8.8p1)
sshd_config (almost default, just enabled the GSSAPIAuthentication)
Include /etc/ssh/sshd_config.d/*.conf # <- nothing here
LogLevel INFO
KbdInteractiveAuthentication no
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
ps: May it be related to the "stricter UpdateHostkey signature
verification logic" what I see in the 8.9 release notes?
https://www.openssh.com/txt/release-8.9
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-14 22:56 UTC
[Bug 3406] RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded
https://bugzilla.mindrot.org/show_bug.cgi?id=3406
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Please attach a full debug trace from the server. It's hard to tell
what has gone wrong from just the error message.
Also:
> GSSAPIKeyExchange yes
This is a third-party patch to OpenSSH. It's fairly likely that this is
causing the problem.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-15 06:40 UTC
[Bug 3406] RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded
https://bugzilla.mindrot.org/show_bug.cgi?id=3406 --- Comment #2 from Damien Miller <djm at mindrot.org> --- specifically, the gssapi-kex patch probably needs something like:> if (ssh->kex->initial_hostkey == NULL) > hostbound = 0;added after the first "if" statement near the start of sshconnect2.c:sign_and_send_pubkey() -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-15 10:44 UTC
[Bug 3406] RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded
https://bugzilla.mindrot.org/show_bug.cgi?id=3406 --- Comment #3 from qji <robert.kulyassa at gmail.com> --- Created attachment 3582 --> https://bugzilla.mindrot.org/attachment.cgi?id=3582&action=edit sshd_debug3_log_key_auth_failed.txt Here is a sshd debug3 log showing the output the same time I ran the "ssh localadmin at myserver" command on my client. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-15 10:51 UTC
[Bug 3406] RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded
https://bugzilla.mindrot.org/show_bug.cgi?id=3406 --- Comment #4 from qji <robert.kulyassa at gmail.com> --- Created attachment 3583 --> https://bugzilla.mindrot.org/attachment.cgi?id=3583&action=edit ssh_client_debug3_log_key_auth_failed.txt And here is the client log (ssh -vvv) for the same event (but a different session) -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-15 22:20 UTC
[Bug 3406] RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded
https://bugzilla.mindrot.org/show_bug.cgi?id=3406 --- Comment #5 from Damien Miller <djm at mindrot.org> --- Comment on attachment 3583 --> https://bugzilla.mindrot.org/attachment.cgi?id=3583 ssh_client_debug3_log_key_auth_failed.txt thanks - yes, this is the 3rd-party gssapi-kex modification causing this. It needs a tweak like the one I described above -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Jul-01 04:58 UTC
[Bug 3406] RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded
https://bugzilla.mindrot.org/show_bug.cgi?id=3406
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WORKSFORME
Status|NEW |RESOLVED
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
problem not in OpenSSH code but in a third-party patch
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Oct-04 10:58 UTC
[Bug 3406] RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded
https://bugzilla.mindrot.org/show_bug.cgi?id=3406
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #7 from Damien Miller <djm at mindrot.org> ---
Closing bugs from openssh-9.1 release cycle
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Oct-14 20:46 UTC
[Bug 3406] RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded
https://bugzilla.mindrot.org/show_bug.cgi?id=3406
Colin Watson <cjwatson at debian.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cjwatson at debian.org
--- Comment #8 from Colin Watson <cjwatson at debian.org> ---
Belatedly, I just wanted to say that I've committed a fix for this to
Debian's openssh git repository
(https://salsa.debian.org/ssh-team/openssh/-/commit/7d291bb6319611a01dfa0f56fd161db11547320f),
so that should deal with this problem for Debian, Ubuntu, and friends
once it trickles down.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Seemingly Similar Threads
- [Bug 2198] New: GSSAPIKeyExchange gssapi-keyex bug in kex.c choose_kex()
- GSSAPIKeyExchange and GSSAPIStrictAcceptorCheck
- HostKey Management
- [Bug 2617] New: sign_and_send_pubkey: no separate private key for certificate
- Authentication with trusted credentials