HostbasedAuthentication produces spurious warnings
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Ubuntu 14.04.1 LTS
openssh-client 1:6.6p1-2ubuntu2
We have HostbasedAuthen
ssh_config contains (relevantly)
HostbasedAuthen
PreferredAuthen
EnableSSHKeysign yes
sshd_config contains (relevantly)
HostbasedAuthen
This works:
ocelot:~$ ssh othermc
othermc:~$
However, ssh-ing as an alternative user produces additional warning messages before the expected password prompt:
ocelot:~$ ssh otheruser@othermc
no matching hostkey found
ssh_keysign: no reply
key_sign failed
otheruser@othermc's password:
If instead of relying on EnableSSHKeysign in ssh_config I make the ssh binary setuid:
chmod u+s /usr/bin/ssh
...the extra warnings go away and I get what I expect:
ocelot:~$ ssh otheruser@othermc
otheruser@othermc's password:
This makes me suspect that there may be a problem with ssh-keysign.
Digging a bit further, I think this arises because ssh-keysign punts off all its host key processing to openSSL, but openSSL does not support ED25519 keys.