HostbasedAuthentication produces spurious warnings

Bug #1389167 reported by Owen Dunn
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Ubuntu 14.04.1 LTS
openssh-client 1:6.6p1-2ubuntu2

We have HostbasedAuthentication set up in our environment so that users can ssh between equivalent hosts without a password.

ssh_config contains (relevantly)

HostbasedAuthentication yes
PreferredAuthentications publickey,hostbased,password,keyboard-interactive
EnableSSHKeysign yes

sshd_config contains (relevantly)

HostbasedAuthentication yes

This works:

ocelot:~$ ssh othermc
othermc:~$

However, ssh-ing as an alternative user produces additional warning messages before the expected password prompt:

ocelot:~$ ssh otheruser@othermc
no matching hostkey found
ssh_keysign: no reply
key_sign failed
otheruser@othermc's password:

If instead of relying on EnableSSHKeysign in ssh_config I make the ssh binary setuid:

chmod u+s /usr/bin/ssh

...the extra warnings go away and I get what I expect:

ocelot:~$ ssh otheruser@othermc
otheruser@othermc's password:

This makes me suspect that there may be a problem with ssh-keysign.

Revision history for this message
Owen Dunn (osd1000) wrote :

Digging a bit further, I think this arises because ssh-keysign punts off all its host key processing to openSSL, but openSSL does not support ED25519 keys.

Revision history for this message
Owen Dunn (osd1000) wrote :

Further still, a convenient workaround is to remove read permission for everyone from /etc/ssh/ssh_host_ed25519_key.pub

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssh (Ubuntu):
status: New → Confirmed
Revision history for this message
Bryan Youse (bryouse) wrote :

Had success with your workaround, thanks for sharing.

Revision history for this message
Colin Watson (cjwatson) wrote :

This was fixed upstream in OpenSSH 6.8, which is in Ubuntu 15.10 and newer:

  https://anongit.mindrot.org/openssh.git/commit/?id=1195f4cb07ef4b0405c839293c38600b3e9bdb46

Changed in openssh (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.