Bug 772641

Summary: ssh hostbased authentification error messages about ssh keysign
Product: [Fedora] Fedora Reporter: Edgar Hoch <edgar.hoch>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: mattias.ellert, mgrepl, plautrba, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-28 14:00:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Edgar Hoch 2012-01-09 13:52:30 UTC 
Description of problem:

When I add to /etc/ssh/sshd_config the line

HostbasedAuthentication yes

and when wie add to /etc/ssh/ssh_config the lines

HostbasedAuthentication yes
EnableSSHKeysign yes

then we get the following error messages when calling "ssh myhost" where "myhost" is listed in /etc/ssh/ssh_known_hosts and in /etc/ssh/shosts.equiv:

could not open any host key
ssh_keysign: no reply
key_sign failed

I called ssh with debug options "-vvv" - here are the important part for the message above:

debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
debug2: userauth_hostbased: chost myhost.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1292
could not open any host key
ssh_keysign: no reply
key_sign failed
debug2: we did not send a packet, disable method


I also set
setsebool allow_ssh_keysign on

but this doesn't change the error messages.


Version-Release number of selected component (if applicable):
openssh-5.8p2-23.fc16.x86_64
selinux-policy-3.10.0-69.fc16.noarch
selinux-policy-targeted-3.10.0-69.fc16.noarch
policycoreutils-2.1.4-13.fc16.x86_64


How reproducible:
Always.

Steps to Reproduce:
1. Modify /etc/ssh/ssh_config like mentioned above
2. Modify /etc/ssh/sshd_config like mentioned above
3. Add remote host key to /etc/ssh/ssh_known_hosts
4. Add remote host name to /etc/ssh/shosts.equiv
5. Connect to remote host using ssh
  
Actual results:
ssh myhost displays the error messages above.

Expected results:
ssh displays no error messages.
Comment 1 Edgar Hoch 2012-01-09 13:53:31 UTC 
Additional note:

This configuration worked fine in Fedora 15 and previous versions.
Comment 2 Petr Lautrbach 2012-02-03 14:42:35 UTC 
> could not open any host key
> ssh_keysign: no reply
> key_sign failed

Check your private key files permission. ssh-keysign is set to run as ssh_keys group so key files permissions should look like:

-rw-r-----. 1 root ssh_keys    668 Sep 12 15:00 ssh_host_dsa_key
-rw-r--r--. 1 root root        590 Sep 12 15:00 ssh_host_dsa_key.pub
-rw-r-----. 1 root ssh_keys    965 Sep 12 15:00 ssh_host_key
-rw-r--r--. 1 root root        630 Sep 12 15:00 ssh_host_key.pub
-rw-r-----. 1 root ssh_keys   1679 Sep 12 15:00 ssh_host_rsa_key
-rw-r--r--. 1 root root        382 Sep 12 15:00 ssh_host_rsa_key.pub
Comment 3 Petr Lautrbach 2012-02-08 09:58:35 UTC 
Did comment #c2 help you? I'm able to configure HostbasedAuthentication on F16 without any problem.
Comment 4 Petr Lautrbach 2012-02-28 14:00:17 UTC 
Closing this now. Feel free to re-open it if comment #c2 doesn't help you.