The problem I am seeing was introduced between 6.4p1 and 6.5p1 (and still exists in 6.6p1). With HostbasedAuthentication/EnableSSHKeysign turned on, I am seeing one of two sets of messages: no matching hostkey found ssh_keysign: no reply key_sign failed and not a valid request ssh_keysign: no reply key_sign failed Then in either case two password prompts: bowman at HOST.math.utah.edu's password: Permission denied, please try again. bowman at HOST.math.utah.edu's password: I've used strace and dtrace to watch what files are opened and executables run. All the correct key files are accessed and the correct version of ssh-keysign used. Even the ssh-keysign from 6.5p1 or 6.6p1 works correctly with ssh from 6.4p1. Various systems are affected by this: MacOS X 10.5/ppc OpenBSD 5.1/x86 RHEL 5/x86 Solaris 10/x86 Solaris 11/x64 Ubuntu 12.04/x86 debian 6.0/mips gentoo/alpha gentoo/ppc gentoo/ppc64 gentoo/sparc A few systems are not affected: IRIX 6.5/mips RHEL 5/ia64 Solaris 10/sparc Any ideas on where to look? Thanks, Pieter
On 21/03/14 17:15, Pieter Bowman wrote:> Any ideas on where to look?Have you tried mixing the client sshs too? I would also try to log the contents passed to ssh-keysign (it will be binary data, but if for instance with the wrong version got a few bytes less, I would suspect the signature is being truncated by sshd)
On Fri, Mar 21, 2014 at 10:15:56 -0600, Pieter Bowman wrote:> The problem I am seeing was introduced between 6.4p1 and 6.5p1 (and > still exists in 6.6p1). With HostbasedAuthentication/EnableSSHKeysign > turned on, I am seeing one of two sets of messages: > > no matching hostkey found > ssh_keysign: no reply > key_sign failed > > and > > not a valid request > ssh_keysign: no reply > key_sign failed > > > Then in either case two password prompts: > > bowman at HOST.math.utah.edu's password: > Permission denied, please try again. > bowman at HOST.math.utah.edu's password: > > > I've used strace and dtrace to watch what files are opened and > executables run. All the correct key files are accessed and the > correct version of ssh-keysign used. Even the ssh-keysign from 6.5p1 > or 6.6p1 works correctly with ssh from 6.4p1. >The ssh -vvv output might be of a little interest. I'm particularly curious as to whether you get the messages that you quoted with each keysign request or just the one for the ed25519 key. The behavour sounds like there is a version mismatch which is causing it to choke on the ed25519 key. You indicate that the correct ssh-keysign is being invoked, or at least the right path is used. Try running strings on the executable and grep for ed25519. Were yyou deliberately failing the two password prompts, or is that anouther aspect of the problem? -- Iain Morgan
Possibly Parallel Threads
- apparent ssh_config fascism
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
- broken ssh-keysign for openssh 3.6.1p1 on Solaris 8
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
- RFC: encrypted hostkeys patch