ssh: pubkey auth fails between 3.8.1p1-3 and 3.4(woody)

Bug #15361 reported by Debian Bug Importer on 2005-04-11
4
Affects Status Importance Assigned to Milestone
Debian
New
Unknown
Ubuntu
High
Matthias Klose

Bug Description

Automatically imported from Debian bug report #250311 http://bugs.debian.org/250311

On Fri, May 21, 2004 at 08:47:52PM -0500, Chad Walstrom wrote:
> Package: ssh
> Version: 1:3.8.1p1-3
> Severity: important
>
> I cannot connect to an ssh daemon running woody's current version
> (1:3.4p1-1.woody.3) from the sarge/sid current version.

Hm, I do this all the time. I can connect to savannah.gnu.org from
1:3.8.1p1-3 using both i386 and powerpc and public key authentication.
What SSH protocol version are you using?

> I have no problems connecting to a client/server pair both running
> 3.8.1p1-3. Default configuration files on all tests.
>
> An example of where this hurts is when trying to get CVS repositories
> from savannah.gnu.org. Since they do not accept password authentication
> and require publickey authentication, I cannot get read/write access to
> the repositories.

Can you get me ssh -vvv output, please?

--
Colin Watson [<email address hidden>]

Colin Watson wrote:
> On Fri, May 21, 2004 at 08:47:52PM -0500, Chad Walstrom wrote:
> > Package: ssh
> > Version: 1:3.8.1p1-3
> > Severity: important
> >
> > I cannot connect to an ssh daemon running woody's current version
> > (1:3.4p1-1.woody.3) from the sarge/sid current version.
>
> Hm, I do this all the time. I can connect to savannah.gnu.org from
> 1:3.8.1p1-3 using both i386 and powerpc and public key authentication.
> What SSH protocol version are you using?

I default to Protocol 2 in my .ssh/config file.

    # Chad's ssh configuration file
    #
    Protocol 2

> Can you get me ssh -vvv output, please?

Attached.

--
Chad Walstrom <email address hidden> http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */

Package: ssh
Version: 1:3.8.1p1-5
Followup-For: Bug #250311

I had precisely the same symptoms, with the same -vvv output. Once
difference is that it only affected my connections to my own server,
not to savannah or sourceforge.

Looking at auth.log on my server revealed the problem: sshd was
refusing to use my public key because my home directory was
group-writable. In order to do pubkey auth, both the home directory
and the .ssh directory must writable only by the owner.

I don't know if this is related to Chad's problem, but I thought I'd
mention it since the symptoms were so similar.

 Shawn.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=C, LC_CTYPE=C

Versions of packages ssh depends on:
ii adduser 3.57 Add and remove users and groups
ii debconf 1.4.29 Debian configuration management sy
ii dpkg 1.10.22 Package maintenance system for Deb
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7d-4 SSL shared libraries
ii libwrap0 7.6.dbs-4 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.1.1-5 compression library - runtime

-- debconf information:
  ssh/insecure_rshd:
  ssh/privsep_ask: true
* ssh/user_environment_tell:
* ssh/forward_warning:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/SUID_client: true
* ssh/privsep_tell:
  ssh/ssh2_keys_merged:
* ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true

Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #250311 http://bugs.debian.org/250311

Debian Bug Importer (debzilla) wrote :

Message-Id: <E1BRLc8-0003JZ-72@localhost>
Date: Fri, 21 May 2004 20:47:52 -0500
From: Chad Walstrom <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: ssh: pubkey auth fails between 3.8.1p1-3 and 3.4(woody)

Package: ssh
Version: 1:3.8.1p1-3
Severity: important

I cannot connect to an ssh daemon running woody's current version
(1:3.4p1-1.woody.3) from the sarge/sid current version. I have no
problems connecting to a client/server pair both running 3.8.1p1-3.
Default configuration files on all tests.

An example of where this hurts is when trying to get CVS repositories
from savannah.gnu.org. Since they do not accept password authentication
and require publickey authentication, I cannot get read/write access to
the repositories.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.4-k7
Locale: LANG=C, LC_CTYPE=en_US.ISO-8859-1 (ignored: LC_ALL set to C)

Versions of packages ssh depends on:
ii adduser 3.53 Add and remove users and groups
ii debconf 1.4.25 Debian configuration management sy
ii dpkg 1.10.21 Package maintenance system for Deb
ii libc6 2.3.2.ds1-12 GNU C Library: Shared libraries an
ii libpam-modules 0.76-21 Pluggable Authentication Modules f
ii libpam-runtime 0.76-21 Runtime support for the PAM librar
ii libpam0g 0.76-21 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7d-1 SSL shared libraries
ii libwrap0 7.6.dbs-3 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.1-5 compression library - runtime

-- debconf information:
  ssh/insecure_rshd:
  ssh/privsep_ask: true
* ssh/user_environment_tell:
* ssh/forward_warning:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/SUID_client: true
* ssh/privsep_tell:
  ssh/ssh2_keys_merged:
* ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 22 May 2004 12:04:59 +0100
From: Colin Watson <email address hidden>
To: Chad Walstrom <email address hidden>, <email address hidden>
Subject: Re: Bug#250311: ssh: pubkey auth fails between 3.8.1p1-3 and 3.4(woody)

On Fri, May 21, 2004 at 08:47:52PM -0500, Chad Walstrom wrote:
> Package: ssh
> Version: 1:3.8.1p1-3
> Severity: important
>
> I cannot connect to an ssh daemon running woody's current version
> (1:3.4p1-1.woody.3) from the sarge/sid current version.

Hm, I do this all the time. I can connect to savannah.gnu.org from
1:3.8.1p1-3 using both i386 and powerpc and public key authentication.
What SSH protocol version are you using?

> I have no problems connecting to a client/server pair both running
> 3.8.1p1-3. Default configuration files on all tests.
>
> An example of where this hurts is when trying to get CVS repositories
> from savannah.gnu.org. Since they do not accept password authentication
> and require publickey authentication, I cannot get read/write access to
> the repositories.

Can you get me ssh -vvv output, please?

--
Colin Watson [<email address hidden>]

Debian Bug Importer (debzilla) wrote :
Download full text (9.0 KiB)

Message-ID: <email address hidden>
Date: Sat, 22 May 2004 14:24:21 -0500
From: Chad Walstrom <email address hidden>
To: Colin Watson <email address hidden>, <email address hidden>
Subject: Re: Bug#250311: ssh: pubkey auth fails between 3.8.1p1-3 and 3.4(woody)

--WplhKdTI2c8ulnbP
Content-Type: multipart/mixed; boundary="+pHx0qQiF2pBVqBT"
Content-Disposition: inline

--+pHx0qQiF2pBVqBT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Colin Watson wrote:
> On Fri, May 21, 2004 at 08:47:52PM -0500, Chad Walstrom wrote:
> > Package: ssh
> > Version: 1:3.8.1p1-3
> > Severity: important
> >=20
> > I cannot connect to an ssh daemon running woody's current version
> > (1:3.4p1-1.woody.3) from the sarge/sid current version.
>=20
> Hm, I do this all the time. I can connect to savannah.gnu.org from
> 1:3.8.1p1-3 using both i386 and powerpc and public key authentication.
> What SSH protocol version are you using?

I default to Protocol 2 in my .ssh/config file.

    # Chad's ssh configuration file
    #=20
    Protocol 2

> Can you get me ssh -vvv output, please?

Attached.

--=20
Chad Walstrom <email address hidden> http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */

--+pHx0qQiF2pBVqBT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=ssh-vvv

[14:19:23] chewie@skuld (501)$ ssh -vvv savannah
OpenSSH_3.8.1p1 Debian 1:3.8.1p1-3, OpenSSL 0.9.7d 17 Mar 2004
debug6761: Reading configuration data /home/chewie/.ssh/config
debug6761: Applying options for savannah
debug6761: Reading configuration data /etc/ssh/ssh_config
debug6762: ssh_connect: needpriv 0
debug6761: Connecting to savannah.gnu.org [199.232.41.3] port 22.
debug6761: Connection established.
debug6763: Not a RSA1 key file /home/chewie/.ssh/id_rsa.
debug6762: key_type_from_name: unknown key type '-----BEGIN'
debug6763: key_read: missing keytype
debug6762: key_type_from_name: unknown key type 'Proc-Type:'
debug6763: key_read: missing keytype
debug6762: key_type_from_name: unknown key type 'DEK-Info:'
debug6763: key_read: missing keytype
debug6763: key_read: missing whitespace
debug6763: key_read: missing whitespace
debug6763: key_read: missing whitespace
debug6763: key_read: missing whitespace
debug6763: key_read: missing whitespace
debug6763: key_read: missing whitespace
debug6763: key_read: missing whitespace
debug6763: key_read: missing whitespace
debug6763: key_read: missing whitespace
debug6763: key_read: missing whitespace
debug6763: key_read: missing whitespace
debug6763: key_read: missing whitespace
debug6763: key_read: missing whitespace
debug6762: key_type_from_name: unknown key type '-----END'
debug6763: key_read: missing keytype
debug6761: identity file /home/chewie/.ssh/id_rsa type 1
debug6763: Not a RSA1 key file /home/chewie/.ssh/id_dsa.
debug6762: key_type_from_name: unknown key type '-----BEGIN'
debug6763: key_read: missing keytype
debug6762: key_type_from_name: unknown key type 'Proc-Type:'
debug6763: key_read: missing keytype
debug6762: key_type_from_name: unknown key type 'DEK-Info:'
debug6763: key_read: missing keytype
debug6763: ...

Read more...

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Tue, 20 Jul 2004 22:52:10 -0600
From: Shawn Willden <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: ssh: I had (nearly) the same problem, but fixed it

Package: ssh
Version: 1:3.8.1p1-5
Followup-For: Bug #250311

I had precisely the same symptoms, with the same -vvv output. Once
difference is that it only affected my connections to my own server,
not to savannah or sourceforge.

Looking at auth.log on my server revealed the problem: sshd was
refusing to use my public key because my home directory was
group-writable. In order to do pubkey auth, both the home directory
and the .ssh directory must writable only by the owner.

I don't know if this is related to Chad's problem, but I thought I'd
mention it since the symptoms were so similar.

 Shawn.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=C, LC_CTYPE=C

Versions of packages ssh depends on:
ii adduser 3.57 Add and remove users and groups
ii debconf 1.4.29 Debian configuration management sy
ii dpkg 1.10.22 Package maintenance system for Deb
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7d-4 SSL shared libraries
ii libwrap0 7.6.dbs-4 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.1.1-5 compression library - runtime

-- debconf information:
  ssh/insecure_rshd:
  ssh/privsep_ask: true
* ssh/user_environment_tell:
* ssh/forward_warning:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/SUID_client: true
* ssh/privsep_tell:
  ssh/ssh2_keys_merged:
* ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true

Matthias Klose (doko) wrote :

imported by mistake as part of gcc-3.4/gcc-4.0 related bugs, closing.

http://bugs.debian.org/250311
ssh: pubkey auth fails between 3.8.1p1-3 and 3.4(woody)

Please see the above URL; Shawn commented on the bug, but the bug number
(still) doesn't reach the submitter by default. Is this problem solved?

Justin Pryzby <email address hidden> wrote:
> http://bugs.debian.org/250311
> ssh: pubkey auth fails between 3.8.1p1-3 and 3.4(woody)
>
> Please see the above URL; Shawn commented on the bug, but the bug number
> (still) doesn't reach the submitter by default. Is this problem solved?

I honestly don't know. It was reported so long ago. The servers that
it could have affected have long since been upgraded. I would
consider it close-able, even though the bug for those particular
versions may still be in effect.
--
Chad Walstrom <email address hidden> http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */

reassign 183659 openssh-client
reassign 187558 openssh-server
reassign 195716 openssh-server
reassign 240506 openssh-server
reassign 242236 openssh-server
reassign 250311 openssh-client
reassign 314289 openssh-server
reassign 314596 openssh-client
reassign 341042 openssh-client
reassign 341767 openssh-server
reassign 341781 openssh-server
reassign 343896 openssh-client
reassign 414324 openssh-client

reassign 125171 openssh-server
reassign 151102 openssh-server
reassign 241496 openssh-server
reassign 286844 openssh-server

--
Colin Watson [<email address hidden>]

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.