libpam-sshauth dropped support for publickey authentication

A patches has been "Approved upstream a few days ago.

Reference : https://code.launchpad.net/~benoit-guyard/ltsp/libpam-sshauth/+merge/273930

---
Status: Approved
Approved by: Scott Balneaves on 2015-10-16
Approved revision: 108
Proposed branch: lp:~benoit-guyard/ltsp/libpam-sshauth
Merge into: lp:~ltsp-upstream/ltsp/libpam-sshauth
---

Status changed to 'Confirmed' because the bug affects multiple users.

A "testfix' is now available on a PPA[1] for the community to test and provide feedbacks.

The "testfix" include the Approved revision #108 (Added back support for publickey authentication & ssh-agent)

If this mitigate/solved the situation, please provide feedbacks by commenting this LP bug.

The package[1] is only for testing purpose and not a final solution.

[1] https://launchpad.net/~eric-desrochers-z/+archive/ubuntu/lp1507798

Thanks !

Tested the "testfix"[1] on a "Ubuntu 14.04.3 LTS" box, looks good to me, "publickey + ssh-agent" authentication works again.

[1] https://launchpad.net/~eric-desrochers-z/+archive/ubuntu/lp1507798

Thank you.

Thanks Benoit for you feedbacks.

Now that it has been Approved upstream and the "testfix" including revision #108 is working as expected.
I will now monitor the upstream and start working on the SRU once it is merge.

Current state :
---
Unmerged revisions
108. By Benoit Guyard on 2015-10-08
Added back support for publickey authentication
---

Revision 108 has been merge upstream.

The proposal to merge lp:~benoit-guyard/ltsp/libpam-sshauth into lp:~ltsp-upstream/ltsp/libpam-sshauth has been updated.
Status: Approved => Merged

==
$ bzr log -r 108
--
revno: 108
committer: Benoît Guyard <email address hidden>
branch nick: libpam-sshauth
timestamp: Thu 2015-10-08 17:11:15 -0400
message:
  Added back support for publickey authentication
==

Since the "libpam-sshauth" package is a sync from Debian, I have reported a bug in order to apply the patch in Debian too:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805879

The attachment "trusty_libpam-sshauth_0.3.1-2" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

The package in "Xenial" doesn't build without adding in debian/control

- Build-Depends: debhelper (>= 9), libssh2-1-dev, libpam0g-dev | libpam-dev, dh-autoreconf, pkg-config
+ Build-Depends: debhelper (>= 9), libssh2-1-dev, libpam0g-dev | libpam-dev, dh-autoreconf, pkg-config, zlib1g-dev

Debian bug:
https://bugs.debian.org/789106

Upstream (revision 102):
https://bazaar.launchpad.net/~ltsp-upstream/ltsp/libpam-sshauth/revision/102

---
build.log (without the debian/control modification)
--
configure: error: Package requirements (libssh2) were not met:

Package 'zlib', required by 'libssh2', not found

Package zlib was not found in the pkg-config search path.
Perhaps you should add the directory containing `zlib.pc'
to the PKG_CONFIG_PATH environment variable
Package 'zlib', required by 'libssh2', not found
configure:4688: $? = 1
configure:4702: $PKG_CONFIG --exists --print-errors "libssh2"
Package zlib was not found in the pkg-config search path.
Perhaps you should add the directory containing `zlib.pc'
to the PKG_CONFIG_PATH environment variable
Package 'zlib', required by 'libssh2', not found
configure:4705: $? = 1
configure:4719: result: no
Package 'zlib', required by 'libssh2', not found
configure:4735: error: Package requirements (libssh2) were not met:

Package 'zlib', required by 'libssh2', not found

Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
--

debdiff for Trusty (0.3.1-1ubuntu1)

Hm. I think this patch is incorrect:

gcc -DHAVE_CONFIG_H -I. -I.. -D_FORTIFY_SOURCE=2 -fpic -Wall -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -c -o pam_sshauth_so-auth_funcs.o `test -f 'auth_funcs.c' || echo './'`auth_funcs.c
auth_funcs.c:40:0: warning: "SSH_AUTH_METHOD_PUBLICKEY" redefined
 #define SSH_AUTH_METHOD_PUBLICKEY 3
 ^
In file included from auth_funcs.c:36:0:
pam_sshauth.h:30:0: note: this is the location of the previous definition
 #define SSH_AUTH_METHOD_PUBLICKEY 4
 ^

You're using method as a set of bits, but you're defining SSH_AUTH_METHOD_PUBLICKEY as 1<<1 | 1<<0 (ie: 2 + 1 = 3).

This means that it'll try public key authentication if both INTERACTIVE and PASSWORD methods are supported (and, conversely, it'll try PASSWORD and INTERACTIVE if only PUBLICKEY is supported).

You should probably not #define SSH_AUTH_METHOD_PUBLICKEY in auth_funcs.c and rely on the version in pam_sshauth.h

Here's a new version of my patch for "Xenial" without #define SSH_AUTH_METHOD_PUBLICKEY in auth_funcs.c and rely on the version in pam_sshauth.h)

Here's a new version of my patch for "Trusty" without #define SSH_AUTH_METHOD_PUBLICKEY in auth_funcs.c and rely on the version in pam_sshauth.h)

@Eric, thanks for the work, the "testcase" is not really one, that's supposed to be steps you can follow to confirm the bug and verify that it's fixed after the update

This bug was fixed in the package libpam-sshauth - 0.3.1-1ubuntu1

---------------
libpam-sshauth (0.3.1-1ubuntu1) xenial; urgency=medium

  * debian/patches/add-back-support-for-publickey-authentication.patch: Added back
    support for publickey authentication (Closes: #805879, LP: #1507798)

  * debian/control add zlib1g-dev package in Build-Depends (Closes: #789106)

 -- Eric Desrochers <email address hidden> Tue, 12 Jan 2016 22:11:19 -0500