Bug 1333498

Summary: Regression in certificate based authentication in openssh 7.2.
Product: [Fedora] Fedora Reporter: Jamie Beverly <jamie.r.beverly>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 23CC: jjelen, mattias.ellert, mgrepl, plautrba, pquerna, rickvek, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-7.2p2-7.fc24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-18 18:40:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jamie Beverly 2016-05-05 16:23:44 UTC 
Description of problem:

Regression in certificate based authentication in openssh 7.2.

upstream bug (with fix): https://bugzilla.mindrot.org/show_bug.cgi?id=2550

(same bug on ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1575961 )

Version-Release number of selected component (if applicable):
openssh 7.2, commit 4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8

How reproducible:

100%

Steps to Reproduce:
1. Load certificate with private key into agent, but don't load the private key separately
2. attempt to authenticate.
3.

Actual results: Certificate is rejected, and authentication fails

Expected results: Certificate is seen as certified, and authentication succeeds.


Additional info:
This bug also affects users not using ssh-agent when using using IdentityFile when a <key>-cert.pub is found because of the ordering dependency in authctxt.
Comment 1 Jakub Jelen 2016-05-06 07:28:09 UTC 
Thank you for the report. It sounds reasonable to fix this. I will provide update soon.
Comment 2 Fedora Update System 2016-06-06 16:02:13 UTC 
openssh-7.2p2-7.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-57cec0322d
Comment 3 Fedora Update System 2016-06-06 17:56:35 UTC 
openssh-7.2p2-7.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-57cec0322d
Comment 4 Fedora Update System 2016-06-18 18:40:07 UTC 
openssh-7.2p2-7.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.