Bug 1251777
| Summary: | pam_ssh_agent_auth does not work with gnome-keyring-daemon or ssh-agent | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Henning Schmiedehausen <hps> | ||||||
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> | ||||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 22 | CC: | jjelen, mattias.ellert, mgrepl, plautrba, tmraz | ||||||
| Target Milestone: | --- | Keywords: | Reopened | ||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | 6.9p1-6.fc22.1 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-08-26 04:32:39 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Henning Schmiedehausen
2015-08-09 23:50:49 UTC
This is definitely a build problem with the patched together build of pam_ssh_agent_auth inside the openssh build. Peeling out the build and omitting the patches 300-305 (see attached spec file) creates a pam_ssh_agent_auth package that works with Fedora 22 and both ssh-agent and the gnome-keyring-daemon Created attachment 1060902 [details]
pam_ssh_agent_auth spec file
download the openssh src rpm and install it. Drop the spec file into the SPECS folder and build the RPM. This yields an pam_ssh_agent_auth rpm. Install this rpm instead of the supplied fedora 22 RPM.
I would love to hone in more which of the patches is responsible, but they are so jumbled together that I am unable to do that. A package built with only 302 and 303 still works fine (any other patch added will either yield an failed build (300) or rejected patches (if 300 is omitted). The proper solution here would be to persuade OpenSSH upstream to take the pam_ssh_agent_auth code into the OpenSSH upstream. The code duplication with possible security issues being neglected in pam_ssh_agent_auth if the code is not continually rebased with the openssh upstream code is too high otherwise. Created attachment 1061578 [details] dist git patch Thank you for the report. I forgot to make sure it works with new rebased version. I will have to prepare some regression test for this use case. Incorporation of this code into upstream would make sense, but I don't see it is much likely. pam_ssh_agent_auth stick with some old version, but in Fedora we try to stick with current openssh code to profit from openssh features (ECDSA keys and other stuff that is not working in upstream pam_ssh_agent_auth). Posting dist git patch which worked for me (last time I probably did some mistake). I would like to get feedback if it works also for you, before I will issue regular builds. Scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=10672912 openssh-7.0p1-1.fc23 has been submitted as an update for Fedora 23. https://admin.fedoraproject.org/updates/openssh-7.0p1-1.fc23 Any plans to do a F22 update, too? openssh-6.9p1-5.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/openssh-6.9p1-5.fc22 (thumbsup) Package openssh-7.0p1-1.fc23: * should fix your issue, * was pushed to the Fedora 23 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openssh-7.0p1-1.fc23' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-13439/openssh-7.0p1-1.fc23 then log in and leave karma (feedback). Ah, well. Unfortunately it does not work. :-( (I am still on F22 and I should probably use DNF but old habits die hard): [root@forge ~]# yum update --enablerepo=updates-testing openssh-6.9p1-5.fc22 Yum command has been deprecated, redirecting to '/usr/bin/dnf update --enablerepo=updates-testing openssh-6.9p1-5.fc22'. See 'man dnf' and 'man yum2dnf' for more information. To transfer transaction metadata from yum to DNF, run: 'dnf install python-dnf-plugins-extras-migrate && dnf-2 migrate' Fedora 22 - x86_64 - Test Updates 472 kB/s | 3.1 MB 00:06 Last metadata expiration check performed 0:00:06 ago on Sat Aug 15 16:20:39 2015. Dependencies resolved. ============================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================== Upgrading: openssh x86_64 6.9p1-5.fc22 updates-testing 444 k openssh-askpass x86_64 6.9p1-5.fc22 updates-testing 77 k openssh-clients x86_64 6.9p1-5.fc22 updates-testing 644 k openssh-server x86_64 6.9p1-5.fc22 updates-testing 467 k Transaction Summary ============================================================================================================================================================== Upgrade 4 Packages Total download size: 1.6 M Is this ok [y/N]: y Downloading Packages: (1/4): openssh-6.9p1-5.fc22.x86_64.rpm 244 kB/s | 444 kB 00:01 (2/4): openssh-server-6.9p1-5.fc22.x86_64.rpm 234 kB/s | 467 kB 00:01 (3/4): openssh-askpass-6.9p1-5.fc22.x86_64.rpm 222 kB/s | 77 kB 00:00 (4/4): openssh-clients-6.9p1-5.fc22.x86_64.rpm 153 kB/s | 644 kB 00:04 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 342 kB/s | 1.6 MB 00:04 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Upgrading : openssh-6.9p1-5.fc22.x86_64 1/8 Upgrading : openssh-server-6.9p1-5.fc22.x86_64 2/8 Upgrading : openssh-clients-6.9p1-5.fc22.x86_64 3/8 Upgrading : openssh-askpass-6.9p1-5.fc22.x86_64 4/8 Cleanup : openssh-askpass-6.9p1-4.fc22.x86_64 5/8 Cleanup : openssh-clients-6.9p1-4.fc22.x86_64 6/8 Cleanup : openssh-server-6.9p1-4.fc22.x86_64 7/8 Cleanup : openssh-6.9p1-4.fc22.x86_64 8/8 Verifying : openssh-6.9p1-5.fc22.x86_64 1/8 Verifying : openssh-server-6.9p1-5.fc22.x86_64 2/8 Verifying : openssh-clients-6.9p1-5.fc22.x86_64 3/8 Verifying : openssh-askpass-6.9p1-5.fc22.x86_64 4/8 Verifying : openssh-6.9p1-4.fc22.x86_64 5/8 Verifying : openssh-askpass-6.9p1-4.fc22.x86_64 6/8 Verifying : openssh-clients-6.9p1-4.fc22.x86_64 7/8 Verifying : openssh-server-6.9p1-4.fc22.x86_64 8/8 -q Upgraded: openssh.x86_64 6.9p1-5.fc22 openssh-askpass.x86_64 6.9p1-5.fc22 openssh-clients.x86_64 6.9p1-5.fc22 openssh-server.x86_64 6.9p1-5.fc22 Complete! [root@forge ~]# yum update --enablerepo=updates-testing pam_ssh_agent_auth-0.9.3-6.5.fc22 Yum command has been deprecated, redirecting to '/usr/bin/dnf update --enablerepo=updates-testing pam_ssh_agent_auth-0.9.3-6.5.fc22'. See 'man dnf' and 'man yum2dnf' for more information. To transfer transaction metadata from yum to DNF, run: 'dnf install python-dnf-plugins-extras-migrate && dnf-2 migrate' Last metadata expiration check performed 0:01:22 ago on Sat Aug 15 16:20:39 2015. Dependencies resolved. ============================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================== Upgrading: pam_ssh_agent_auth x86_64 0.9.3-6.5.fc22 updates-testing 209 k Transaction Summary ============================================================================================================================================================== Upgrade 1 Package Total download size: 209 k Is this ok [y/N]: y Downloading Packages: pam_ssh_agent_auth-0.9.3-6.5.fc22.x86_64.rpm 246 kB/s | 209 kB 00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 156 kB/s | 209 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Upgrading : pam_ssh_agent_auth-0.9.3-6.5.fc22.x86_64 1/2 Cleanup : pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64 2/2 Verifying : pam_ssh_agent_auth-0.9.3-6.5.fc22.x86_64 1/2 Verifying : pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64 2/2 Upgraded: pam_ssh_agent_auth.x86_64 0.9.3-6.5.fc22 Complete! henning@forge $ sudo su - [sudo] password for henning: Back to my self rolled package: [root@forge ~]# dnf install pam_ssh_agent_auth Last metadata expiration check performed 1:47:03 ago on Sat Aug 15 14:39:03 2015. Dependencies resolved. ============================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================== Installing: pam_ssh_agent_auth x86_64 0.9.3-6.4.2.fc22.im intermeta-local 118 k Transaction Summary ============================================================================================================================================================== Install 1 Package Total download size: 118 k Installed size: 2.4 M Is this ok [y/N]: y Downloading Packages: pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64.rpm 5.5 MB/s | 118 kB 00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 5.2 MB/s | 118 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Installing : pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64 1/1 Verifying : pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64 1/1 Installed: pam_ssh_agent_auth.x86_64 0.9.3-6.4.2.fc22.im Complete! henning@forge $ sudo su - [root@forge ~]# Sorry. Last time I tested only with RSA key. I can reproduce the issue with DSA key. It is related to the refactoring in recent versions and I probably missed some piece. Ok, this was painful debugging. I accidentally pushed there 1 as compat flag to agent sign method, which meant to use compat mode for these keys and it was the root of the whole problem that appeared only with DSA keys. Fix: diff --git a/pam_ssh_agent_auth-0.9.3-agent_structure.patch b/pam_ssh_agent_auth-0.9.3-agent_structure.patch -+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 1) != 0) ++ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0) I will update early. In the meantime, can you make sure this scratch build fixed the issue? It worked for me: http://koji.fedoraproject.org/koji/taskinfo?taskID=10731738 Will try to check tomorrow night; don't have the F22 box today. (that's why I have given up on C programming. I remember line noise patches like this one fondly... :-) ) Thanks for digging into this, this will make a better experience for every Fedora user. I really appreciate the hard work that the whole Fedora community and Redhat put into making this the best Linux distribution all around. openssh-7.0p1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. Yes, that scratch build fixes the problem for me. Thank you so much, Jakub. I switched the status back to ON_QA, the build bot closed the ticket erronuously. openssh-6.9p1-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. openssh-7.0p1-2.fc23 has been submitted as an update for Fedora 23. https://admin.fedoraproject.org/updates/openssh-7.0p1-2.fc23 openssh-6.9p1-6.fc22.1 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13814 openssh-7.0p1-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/openssh-7.0p1-2.fc23 openssh-7.1p1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13999 openssh-7.1p1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. openssh-6.9p1-6.fc22.1 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |