Bug 103364

Summary: (PATCH)Openssh authentication is buggy
Product: [Fedora] Fedora Reporter: Alan Cox <alan>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 3CC: chris.ricker, dgunchev, eandres, forresttaylor2000, k.georgiou, mal, menscher, p.van.egdom, redhat-bugzilla, ronny-rhbugzilla, t8m, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-3.9p1-11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-03-15 04:33:30 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 123268, 136451    
Attachments:
Description Flags
Proposed patch none

Description Alan Cox 2003-08-29 08:26:47 EDT
Description of problem:

On a beta box scp root@box1:file root@box2:file

It asks for the password of box, it then prints "Permission denied" 3 times
without asking
for the root password of box2.
Comment 1 Bill Nottingham 2003-10-21 16:39:04 EDT
Does this happen with test3?
Comment 2 Alan Cox 2003-10-21 16:45:31 EDT
It does.

Simple example

scp root@my.box:/etc/motd root@my.box:/tmp/foo
Asks password for one side then displays
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).
Comment 3 Forrest 2003-10-29 17:36:47 EST
This is a problem not only with the betas, but with many versions of Red Hat.  I
tried this:

scp root@localhost:/etc/motd root@localhost:/tmp/foo

It asks for the first password, but fails on the second.  I verified this on Red
Hat 7.2, 7.3, 8.0, 9, AS 2.1 and both betas.  I created an ssh key, and then I
see in the logs that it authenticates twice.  The question is--has this ever
worked with openssh?
Comment 4 Forrest 2003-10-29 17:39:48 EST
To clarify:
scp /etc/motd root@localhost:/tmp/foo
works where:

scp root@localhost:/etc/motd root@localhost:/tmp/foo
does not.

It does state in the man page that it is possible to use two remote hosts.
Comment 5 Damian Menscher 2003-11-12 18:34:20 EST
I see something similar on a RH7.3 (fully patched) box.  It's trying 
to run the ssh-askpass program and that fails if your $DISPLAY is 
wrong/unset.  The thing I don't understand is why it's trying to run 
that program.  The ssh manpage says it runs $SSH_ASKPASS if you're 
not running ssh from a terminal.  But xterm *is* a terminal (last I 
checked) so that should not be happening.  Really stumped on this one.
Comment 6 Damian Menscher 2003-11-12 19:41:10 EST
Ok, so my problem was incorrect permissions on /dev/tty, so it's not 
directly related to this bug.

However, I learned something that may explain what you guys are 
seeing.  If you're not running from a terminal then it uses the 
$SSH_ASKPASS program.  When you're trying to scp a box between two 
remote boxes, the connection between them doesn't have a terminal, 
right?

I can't say for sure, but I think I might be on to the root of the 
problem.  Good luck!
Comment 7 Alan Cox 2004-03-11 18:31:02 EST
Still present in Fedora Core 2 test 1
Comment 8 Alan Cox 2004-04-21 13:26:49 EDT
Still present in Fedora Core 2 test 2
Comment 9 Eric Andresen 2004-06-22 15:36:00 EDT
It might be interesting to note that this does not occur when
authenticating with gssapi (using the OpenSSH GSSAPI patch). It still
occurs if you use keypair authentication. This gives some confirmation
to it being ASKPASS related.
Comment 10 Robert Scheck 2004-08-17 21:45:39 EDT
Bug is still present in openssh-3.8.1p1-5:

# scp root@localhost:/etc/motd root@localhost:/tmp/foo
root@localhost's password:
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).
lost connection
#
Comment 11 Chris Ricker 2004-08-25 10:36:01 EDT
Just to complicate things, here's what I see with FC2.

Using password-based authentication fails with bogus key-verification
errors:

$ scp root@localhost:/etc/passwd root@localhost:/tmp/passwd
root@localhost's password:
Host key verification failed.
lost connection
$

The host key *is* correct in the above

Using key-based authentication works:

$ rm /tmp/passwd
$ scp localhost:/etc/passwd localhost:/tmp/passwd
$ ls -l /tmp/passwd
-rw-r--r--  1 kaboom kaboom 1942 Aug 25 10:35 /tmp/passwd
$

Comment 12 Tomas Mraz 2004-09-14 08:59:46 EDT
Created attachment 103825 [details]
Proposed patch

This was really easy to fix. Note however that I don't know if it doesn't have
any unwanted side effects.

Also note that if you try this:
scp someone@some.remote.host:/xxxxx anyone@localhost:/bbbbbb

it will do something else than what you thought it should do, because it will
copy the /xxxxx file to the localhost on the remote machine not on the machine
you have typed the command on.
Comment 13 Ronny Buchmann 2004-10-19 13:38:36 EDT
*** Bug 121568 has been marked as a duplicate of this bug. ***
Comment 14 Alan Cox 2004-10-22 08:36:38 EDT
Still broken over a year late in FC3test3 despite a patch in the bug
Comment 15 Tomas Mraz 2005-02-07 04:46:16 EST
*** Bug 27831 has been marked as a duplicate of this bug. ***