Bug 1251777 - pam_ssh_agent_auth does not work with gnome-keyring-daemon or ssh-agent
pam_ssh_agent_auth does not work with gnome-keyring-daemon or ssh-agent
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
22
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Jakub Jelen
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-09 19:50 EDT by Henning Schmiedehausen
Modified: 2015-12-08 02:24 EST (History)
5 users (show)

See Also:
Fixed In Version: 6.9p1-6.fc22.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-26 00:32:39 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pam_ssh_agent_auth spec file (1.10 KB, text/x-rpm-spec)
2015-08-09 23:16 EDT, Henning Schmiedehausen
no flags Details
dist git patch (1.17 KB, patch)
2015-08-11 12:04 EDT, Jakub Jelen
no flags Details | Diff

  None (edit)
Description Henning Schmiedehausen 2015-08-09 19:50:49 EDT
Description of problem:

Using pam_ssh for sudo as described in pam_ssh_agent_auth(8):

/etc/pam.d/sudo
#%PAM-1.0
auth       sufficient   pam_ssh_agent_auth.so file=/etc/security/authorized_keys
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    include      system-auth

/etc/sudoers.d/01_pam_ssh_auth 
Defaults    env_keep += "SSH_AUTH_SOCK"

Under Fedora 20, this configuration allows usage of the "sudo <xxx>" command without password while using the current ssh daemon for the current session for authentication.

After upgrading to Fedora 22, this no longer works. sudo prompts for the user password.

This is using a 1024 bit DSA key. SELinux is deactivated. 

When using gnome-keyring-daemon, the following errors message is logged into /var/log/messages:

Aug  9 14:55:59 forge gnome-keyring-daemon[1467]: signing of the data failed: The data is too long

When using ssh-agent and running in debug mode, the following messages are logged in /var/log/secure:

Aug  9 16:46:03 forge sudo[16950]: Beginning pam_ssh_agent_auth for user henning
Aug  9 16:46:03 forge sudo[16950]: Using default file=/etc/security/authorized_keys
Aug  9 16:46:03 forge sudo[16950]: Attempting authentication: `henning' as `henning' using /etc/security/authorized_keys
Aug  9 16:46:03 forge sudo[16950]: Contacted ssh-agent of user henning (1000)
Aug  9 16:46:03 forge sudo[16950]: trying public key file /etc/security/authorized_keys
Aug  9 16:46:03 forge sudo[16950]: secure_filename: checking for uid: 0
Aug  9 16:46:03 forge sudo[16950]: secure_filename: checking '/etc/security'
Aug  9 16:46:03 forge sudo[16950]: secure_filename: checking '/etc'
Aug  9 16:46:03 forge sudo[16950]: secure_filename: checking '/'
Aug  9 16:46:03 forge sudo[16950]: matching key found: file /etc/security/authorized_keys, line 1
Aug  9 16:46:03 forge sudo[16950]: Found matching DSA key: MD5:92:2b:83:7f:33:f1:f6:13:e3:12:e2:4d:4d:7a:e3:23
Aug  9 16:46:03 forge sudo[16950]: error: key_verify: invalid format
Aug  9 16:46:03 forge sudo[16950]: Failed Authentication: `henning' as `henning' using /etc/security/authorized_keys

Note the second last line. 

Version-Release number of selected component (if applicable):
pam_ssh_agent_auth-0.9.3-6.4.fc22.x86_64
gnome-keyring-3.16.0-1.fc22.x86_64
openssh-clients-6.9p1-4.fc22.x86_64

How reproducible:

always


Steps to Reproduce:

1. install the sudo configuration as described above. Copy user public key into /etc/security/authorized_keys and chmod this file to 0400
2. tail -f /var/log/secure and /var/log/messages
3. try "sudo <command>" with either ssh-agent with key loaded or gnome-keyring-daemon with key loaded

Actual results:

sudo does not work.

Expected results:

sudo should work.

Additional info:
Comment 1 Henning Schmiedehausen 2015-08-09 23:14:56 EDT
This is definitely a build problem with the patched together build of pam_ssh_agent_auth inside the openssh build. Peeling out the build and omitting the patches 300-305 (see attached spec file) creates a pam_ssh_agent_auth package that works with Fedora 22 and both ssh-agent and the gnome-keyring-daemon
Comment 2 Henning Schmiedehausen 2015-08-09 23:16:49 EDT
Created attachment 1060902 [details]
pam_ssh_agent_auth spec file

download the openssh src rpm and install it. Drop the spec file into the SPECS folder and build the RPM. This yields an pam_ssh_agent_auth rpm. Install this rpm instead of the supplied fedora 22 RPM.
Comment 3 Henning Schmiedehausen 2015-08-09 23:30:17 EDT
I would love to hone in more which of the patches is responsible, but they are so jumbled together that I am unable to do that. A package built with only 302 and 303 still works fine (any other patch added will either yield an failed build (300) or rejected patches (if 300 is omitted).
Comment 4 Tomas Mraz 2015-08-10 05:01:32 EDT
The proper solution here would be to persuade OpenSSH upstream to take the pam_ssh_agent_auth code into the OpenSSH upstream. The code duplication with possible security issues being neglected in pam_ssh_agent_auth if the code is not continually rebased with the openssh upstream code is too high otherwise.
Comment 5 Jakub Jelen 2015-08-11 12:04:45 EDT
Created attachment 1061578 [details]
dist git patch

Thank you for the report. I forgot to make sure it works with new rebased version. I will have to prepare some regression test for this use case.

Incorporation of this code into upstream would make sense, but I don't see it is much likely. pam_ssh_agent_auth stick with some old version, but in Fedora we try to stick with current openssh code to profit from openssh features (ECDSA keys and other stuff that is not working in upstream pam_ssh_agent_auth).

Posting dist git patch which worked for me (last time I probably did some mistake). I would like to get feedback if it works also for you, before I will issue regular builds.

Scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=10672912
Comment 6 Fedora Update System 2015-08-13 12:40:04 EDT
openssh-7.0p1-1.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/openssh-7.0p1-1.fc23
Comment 7 Henning Schmiedehausen 2015-08-13 12:43:06 EDT
Any plans to do a F22 update, too?
Comment 8 Fedora Update System 2015-08-14 07:26:22 EDT
openssh-6.9p1-5.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/openssh-6.9p1-5.fc22
Comment 9 Henning Schmiedehausen 2015-08-14 13:08:54 EDT
(thumbsup)
Comment 10 Fedora Update System 2015-08-14 22:08:53 EDT
Package openssh-7.0p1-1.fc23:
* should fix your issue,
* was pushed to the Fedora 23 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-7.0p1-1.fc23'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-13439/openssh-7.0p1-1.fc23
then log in and leave karma (feedback).
Comment 11 Henning Schmiedehausen 2015-08-15 19:26:59 EDT
Ah, well. Unfortunately it does not work. :-(

(I am still on F22 and I should probably use DNF but old habits die hard):

[root@forge ~]# yum update --enablerepo=updates-testing openssh-6.9p1-5.fc22
Yum command has been deprecated, redirecting to '/usr/bin/dnf update --enablerepo=updates-testing openssh-6.9p1-5.fc22'.
See 'man dnf' and 'man yum2dnf' for more information.
To transfer transaction metadata from yum to DNF, run:
'dnf install python-dnf-plugins-extras-migrate && dnf-2 migrate'

Fedora 22 - x86_64 - Test Updates                                                                                             472 kB/s | 3.1 MB     00:06    
Last metadata expiration check performed 0:00:06 ago on Sat Aug 15 16:20:39 2015.
Dependencies resolved.
==============================================================================================================================================================
 Package                                 Arch                           Version                                 Repository                               Size
==============================================================================================================================================================
Upgrading:
 openssh                                 x86_64                         6.9p1-5.fc22                            updates-testing                         444 k
 openssh-askpass                         x86_64                         6.9p1-5.fc22                            updates-testing                          77 k
 openssh-clients                         x86_64                         6.9p1-5.fc22                            updates-testing                         644 k
 openssh-server                          x86_64                         6.9p1-5.fc22                            updates-testing                         467 k

Transaction Summary
==============================================================================================================================================================
Upgrade  4 Packages

Total download size: 1.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): openssh-6.9p1-5.fc22.x86_64.rpm                                                                                        244 kB/s | 444 kB     00:01    
(2/4): openssh-server-6.9p1-5.fc22.x86_64.rpm                                                                                 234 kB/s | 467 kB     00:01    
(3/4): openssh-askpass-6.9p1-5.fc22.x86_64.rpm                                                                                222 kB/s |  77 kB     00:00    
(4/4): openssh-clients-6.9p1-5.fc22.x86_64.rpm                                                                                153 kB/s | 644 kB     00:04    
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                         342 kB/s | 1.6 MB     00:04     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Upgrading   : openssh-6.9p1-5.fc22.x86_64                                                                                                               1/8 
  Upgrading   : openssh-server-6.9p1-5.fc22.x86_64                                                                                                        2/8 
  Upgrading   : openssh-clients-6.9p1-5.fc22.x86_64                                                                                                       3/8 
  Upgrading   : openssh-askpass-6.9p1-5.fc22.x86_64                                                                                                       4/8 
  Cleanup     : openssh-askpass-6.9p1-4.fc22.x86_64                                                                                                       5/8 
  Cleanup     : openssh-clients-6.9p1-4.fc22.x86_64                                                                                                       6/8 
  Cleanup     : openssh-server-6.9p1-4.fc22.x86_64                                                                                                        7/8 
  Cleanup     : openssh-6.9p1-4.fc22.x86_64                                                                                                               8/8 
  Verifying   : openssh-6.9p1-5.fc22.x86_64                                                                                                               1/8 
  Verifying   : openssh-server-6.9p1-5.fc22.x86_64                                                                                                        2/8 
  Verifying   : openssh-clients-6.9p1-5.fc22.x86_64                                                                                                       3/8 
  Verifying   : openssh-askpass-6.9p1-5.fc22.x86_64                                                                                                       4/8 
  Verifying   : openssh-6.9p1-4.fc22.x86_64                                                                                                               5/8 
  Verifying   : openssh-askpass-6.9p1-4.fc22.x86_64                                                                                                       6/8 
  Verifying   : openssh-clients-6.9p1-4.fc22.x86_64                                                                                                       7/8 
  Verifying   : openssh-server-6.9p1-4.fc22.x86_64                                                                                                        8/8 
-q
Upgraded:
  openssh.x86_64 6.9p1-5.fc22      openssh-askpass.x86_64 6.9p1-5.fc22      openssh-clients.x86_64 6.9p1-5.fc22      openssh-server.x86_64 6.9p1-5.fc22     

Complete!
[root@forge ~]# yum update --enablerepo=updates-testing pam_ssh_agent_auth-0.9.3-6.5.fc22
Yum command has been deprecated, redirecting to '/usr/bin/dnf update --enablerepo=updates-testing pam_ssh_agent_auth-0.9.3-6.5.fc22'.
See 'man dnf' and 'man yum2dnf' for more information.
To transfer transaction metadata from yum to DNF, run:
'dnf install python-dnf-plugins-extras-migrate && dnf-2 migrate'

Last metadata expiration check performed 0:01:22 ago on Sat Aug 15 16:20:39 2015.
Dependencies resolved.
==============================================================================================================================================================
 Package                                   Arch                          Version                                 Repository                              Size
==============================================================================================================================================================
Upgrading:
 pam_ssh_agent_auth                        x86_64                        0.9.3-6.5.fc22                          updates-testing                        209 k

Transaction Summary
==============================================================================================================================================================
Upgrade  1 Package

Total download size: 209 k
Is this ok [y/N]: y
Downloading Packages:
pam_ssh_agent_auth-0.9.3-6.5.fc22.x86_64.rpm                                                                                  246 kB/s | 209 kB     00:00    
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                         156 kB/s | 209 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Upgrading   : pam_ssh_agent_auth-0.9.3-6.5.fc22.x86_64                                                                                                  1/2 
  Cleanup     : pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64                                                                                             2/2 
  Verifying   : pam_ssh_agent_auth-0.9.3-6.5.fc22.x86_64                                                                                                  1/2 
  Verifying   : pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64                                                                                             2/2 

Upgraded:
  pam_ssh_agent_auth.x86_64 0.9.3-6.5.fc22                                                                                                                    

Complete!

henning@forge $ sudo su -
[sudo] password for henning: 

Back to my self rolled package:

[root@forge ~]# dnf install pam_ssh_agent_auth
Last metadata expiration check performed 1:47:03 ago on Sat Aug 15 14:39:03 2015.
Dependencies resolved.
==============================================================================================================================================================
 Package                                  Arch                         Version                                    Repository                             Size
==============================================================================================================================================================
Installing:
 pam_ssh_agent_auth                       x86_64                       0.9.3-6.4.2.fc22.im                        intermeta-local                       118 k

Transaction Summary
==============================================================================================================================================================
Install  1 Package

Total download size: 118 k
Installed size: 2.4 M
Is this ok [y/N]: y
Downloading Packages:
pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64.rpm                                                                             5.5 MB/s | 118 kB     00:00    
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                         5.2 MB/s | 118 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64                                                                                             1/1 
  Verifying   : pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64                                                                                             1/1 

Installed:
  pam_ssh_agent_auth.x86_64 0.9.3-6.4.2.fc22.im                                                                                                               

Complete!

henning@forge $ sudo su -
[root@forge ~]#
Comment 12 Jakub Jelen 2015-08-17 08:21:33 EDT
Sorry. Last time I tested only with RSA key. I can reproduce the issue with DSA key. It is related to the refactoring in recent versions and I probably missed some piece.
Comment 13 Jakub Jelen 2015-08-17 10:38:43 EDT
Ok, this was painful debugging. I accidentally pushed there 1 as compat flag to agent sign method, which meant to use compat mode for these keys and it was the root of the whole problem that appeared only with DSA keys. Fix:

diff --git a/pam_ssh_agent_auth-0.9.3-agent_structure.patch b/pam_ssh_agent_auth-0.9.3-agent_structure.patch
-+    if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 1) != 0)
++    if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0)

I will update early. In the meantime, can you make sure this scratch build fixed the issue? It worked for me:
http://koji.fedoraproject.org/koji/taskinfo?taskID=10731738
Comment 14 Henning Schmiedehausen 2015-08-18 00:39:55 EDT
Will try to check tomorrow night; don't have the F22 box today.

(that's why I have given up on C programming. I remember line noise patches like this one fondly... :-) )

Thanks for digging into this, this will make a better experience for every Fedora user. I really appreciate the hard work that the whole Fedora community and Redhat put into making this the best Linux distribution all around.
Comment 15 Fedora Update System 2015-08-18 01:19:17 EDT
openssh-7.0p1-1.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Henning Schmiedehausen 2015-08-19 01:35:06 EDT
Yes, that scratch build fixes the problem for me. Thank you so much, Jakub.

I switched the status back to ON_QA, the build bot closed the ticket erronuously.
Comment 17 Fedora Update System 2015-08-19 04:15:43 EDT
openssh-6.9p1-5.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2015-08-19 10:55:27 EDT
openssh-7.0p1-2.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/openssh-7.0p1-2.fc23
Comment 19 Fedora Update System 2015-08-21 22:51:29 EDT
openssh-6.9p1-6.fc22.1 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13814
Comment 20 Fedora Update System 2015-08-22 12:26:01 EDT
openssh-7.0p1-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/openssh-7.0p1-2.fc23
Comment 21 Fedora Update System 2015-08-23 18:19:58 EDT
openssh-7.1p1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13999
Comment 22 Fedora Update System 2015-08-26 00:32:35 EDT
openssh-7.1p1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2015-09-01 19:22:41 EDT
openssh-6.9p1-6.fc22.1 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.