Description of problem: Using pam_ssh for sudo as described in pam_ssh_agent_auth(8): /etc/pam.d/sudo #%PAM-1.0 auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so session include system-auth /etc/sudoers.d/01_pam_ssh_auth Defaults env_keep += "SSH_AUTH_SOCK" Under Fedora 20, this configuration allows usage of the "sudo <xxx>" command without password while using the current ssh daemon for the current session for authentication. After upgrading to Fedora 22, this no longer works. sudo prompts for the user password. This is using a 1024 bit DSA key. SELinux is deactivated. When using gnome-keyring-daemon, the following errors message is logged into /var/log/messages: Aug 9 14:55:59 forge gnome-keyring-daemon[1467]: signing of the data failed: The data is too long When using ssh-agent and running in debug mode, the following messages are logged in /var/log/secure: Aug 9 16:46:03 forge sudo[16950]: Beginning pam_ssh_agent_auth for user henning Aug 9 16:46:03 forge sudo[16950]: Using default file=/etc/security/authorized_keys Aug 9 16:46:03 forge sudo[16950]: Attempting authentication: `henning' as `henning' using /etc/security/authorized_keys Aug 9 16:46:03 forge sudo[16950]: Contacted ssh-agent of user henning (1000) Aug 9 16:46:03 forge sudo[16950]: trying public key file /etc/security/authorized_keys Aug 9 16:46:03 forge sudo[16950]: secure_filename: checking for uid: 0 Aug 9 16:46:03 forge sudo[16950]: secure_filename: checking '/etc/security' Aug 9 16:46:03 forge sudo[16950]: secure_filename: checking '/etc' Aug 9 16:46:03 forge sudo[16950]: secure_filename: checking '/' Aug 9 16:46:03 forge sudo[16950]: matching key found: file /etc/security/authorized_keys, line 1 Aug 9 16:46:03 forge sudo[16950]: Found matching DSA key: MD5:92:2b:83:7f:33:f1:f6:13:e3:12:e2:4d:4d:7a:e3:23 Aug 9 16:46:03 forge sudo[16950]: error: key_verify: invalid format Aug 9 16:46:03 forge sudo[16950]: Failed Authentication: `henning' as `henning' using /etc/security/authorized_keys Note the second last line. Version-Release number of selected component (if applicable): pam_ssh_agent_auth-0.9.3-6.4.fc22.x86_64 gnome-keyring-3.16.0-1.fc22.x86_64 openssh-clients-6.9p1-4.fc22.x86_64 How reproducible: always Steps to Reproduce: 1. install the sudo configuration as described above. Copy user public key into /etc/security/authorized_keys and chmod this file to 0400 2. tail -f /var/log/secure and /var/log/messages 3. try "sudo <command>" with either ssh-agent with key loaded or gnome-keyring-daemon with key loaded Actual results: sudo does not work. Expected results: sudo should work. Additional info:
This is definitely a build problem with the patched together build of pam_ssh_agent_auth inside the openssh build. Peeling out the build and omitting the patches 300-305 (see attached spec file) creates a pam_ssh_agent_auth package that works with Fedora 22 and both ssh-agent and the gnome-keyring-daemon
Created attachment 1060902 [details] pam_ssh_agent_auth spec file download the openssh src rpm and install it. Drop the spec file into the SPECS folder and build the RPM. This yields an pam_ssh_agent_auth rpm. Install this rpm instead of the supplied fedora 22 RPM.
I would love to hone in more which of the patches is responsible, but they are so jumbled together that I am unable to do that. A package built with only 302 and 303 still works fine (any other patch added will either yield an failed build (300) or rejected patches (if 300 is omitted).
The proper solution here would be to persuade OpenSSH upstream to take the pam_ssh_agent_auth code into the OpenSSH upstream. The code duplication with possible security issues being neglected in pam_ssh_agent_auth if the code is not continually rebased with the openssh upstream code is too high otherwise.
Created attachment 1061578 [details] dist git patch Thank you for the report. I forgot to make sure it works with new rebased version. I will have to prepare some regression test for this use case. Incorporation of this code into upstream would make sense, but I don't see it is much likely. pam_ssh_agent_auth stick with some old version, but in Fedora we try to stick with current openssh code to profit from openssh features (ECDSA keys and other stuff that is not working in upstream pam_ssh_agent_auth). Posting dist git patch which worked for me (last time I probably did some mistake). I would like to get feedback if it works also for you, before I will issue regular builds. Scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=10672912
openssh-7.0p1-1.fc23 has been submitted as an update for Fedora 23. https://admin.fedoraproject.org/updates/openssh-7.0p1-1.fc23
Any plans to do a F22 update, too?
openssh-6.9p1-5.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/openssh-6.9p1-5.fc22
(thumbsup)
Package openssh-7.0p1-1.fc23: * should fix your issue, * was pushed to the Fedora 23 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openssh-7.0p1-1.fc23' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-13439/openssh-7.0p1-1.fc23 then log in and leave karma (feedback).
Ah, well. Unfortunately it does not work. :-( (I am still on F22 and I should probably use DNF but old habits die hard): [root@forge ~]# yum update --enablerepo=updates-testing openssh-6.9p1-5.fc22 Yum command has been deprecated, redirecting to '/usr/bin/dnf update --enablerepo=updates-testing openssh-6.9p1-5.fc22'. See 'man dnf' and 'man yum2dnf' for more information. To transfer transaction metadata from yum to DNF, run: 'dnf install python-dnf-plugins-extras-migrate && dnf-2 migrate' Fedora 22 - x86_64 - Test Updates 472 kB/s | 3.1 MB 00:06 Last metadata expiration check performed 0:00:06 ago on Sat Aug 15 16:20:39 2015. Dependencies resolved. ============================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================== Upgrading: openssh x86_64 6.9p1-5.fc22 updates-testing 444 k openssh-askpass x86_64 6.9p1-5.fc22 updates-testing 77 k openssh-clients x86_64 6.9p1-5.fc22 updates-testing 644 k openssh-server x86_64 6.9p1-5.fc22 updates-testing 467 k Transaction Summary ============================================================================================================================================================== Upgrade 4 Packages Total download size: 1.6 M Is this ok [y/N]: y Downloading Packages: (1/4): openssh-6.9p1-5.fc22.x86_64.rpm 244 kB/s | 444 kB 00:01 (2/4): openssh-server-6.9p1-5.fc22.x86_64.rpm 234 kB/s | 467 kB 00:01 (3/4): openssh-askpass-6.9p1-5.fc22.x86_64.rpm 222 kB/s | 77 kB 00:00 (4/4): openssh-clients-6.9p1-5.fc22.x86_64.rpm 153 kB/s | 644 kB 00:04 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 342 kB/s | 1.6 MB 00:04 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Upgrading : openssh-6.9p1-5.fc22.x86_64 1/8 Upgrading : openssh-server-6.9p1-5.fc22.x86_64 2/8 Upgrading : openssh-clients-6.9p1-5.fc22.x86_64 3/8 Upgrading : openssh-askpass-6.9p1-5.fc22.x86_64 4/8 Cleanup : openssh-askpass-6.9p1-4.fc22.x86_64 5/8 Cleanup : openssh-clients-6.9p1-4.fc22.x86_64 6/8 Cleanup : openssh-server-6.9p1-4.fc22.x86_64 7/8 Cleanup : openssh-6.9p1-4.fc22.x86_64 8/8 Verifying : openssh-6.9p1-5.fc22.x86_64 1/8 Verifying : openssh-server-6.9p1-5.fc22.x86_64 2/8 Verifying : openssh-clients-6.9p1-5.fc22.x86_64 3/8 Verifying : openssh-askpass-6.9p1-5.fc22.x86_64 4/8 Verifying : openssh-6.9p1-4.fc22.x86_64 5/8 Verifying : openssh-askpass-6.9p1-4.fc22.x86_64 6/8 Verifying : openssh-clients-6.9p1-4.fc22.x86_64 7/8 Verifying : openssh-server-6.9p1-4.fc22.x86_64 8/8 -q Upgraded: openssh.x86_64 6.9p1-5.fc22 openssh-askpass.x86_64 6.9p1-5.fc22 openssh-clients.x86_64 6.9p1-5.fc22 openssh-server.x86_64 6.9p1-5.fc22 Complete! [root@forge ~]# yum update --enablerepo=updates-testing pam_ssh_agent_auth-0.9.3-6.5.fc22 Yum command has been deprecated, redirecting to '/usr/bin/dnf update --enablerepo=updates-testing pam_ssh_agent_auth-0.9.3-6.5.fc22'. See 'man dnf' and 'man yum2dnf' for more information. To transfer transaction metadata from yum to DNF, run: 'dnf install python-dnf-plugins-extras-migrate && dnf-2 migrate' Last metadata expiration check performed 0:01:22 ago on Sat Aug 15 16:20:39 2015. Dependencies resolved. ============================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================== Upgrading: pam_ssh_agent_auth x86_64 0.9.3-6.5.fc22 updates-testing 209 k Transaction Summary ============================================================================================================================================================== Upgrade 1 Package Total download size: 209 k Is this ok [y/N]: y Downloading Packages: pam_ssh_agent_auth-0.9.3-6.5.fc22.x86_64.rpm 246 kB/s | 209 kB 00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 156 kB/s | 209 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Upgrading : pam_ssh_agent_auth-0.9.3-6.5.fc22.x86_64 1/2 Cleanup : pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64 2/2 Verifying : pam_ssh_agent_auth-0.9.3-6.5.fc22.x86_64 1/2 Verifying : pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64 2/2 Upgraded: pam_ssh_agent_auth.x86_64 0.9.3-6.5.fc22 Complete! henning@forge $ sudo su - [sudo] password for henning: Back to my self rolled package: [root@forge ~]# dnf install pam_ssh_agent_auth Last metadata expiration check performed 1:47:03 ago on Sat Aug 15 14:39:03 2015. Dependencies resolved. ============================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================== Installing: pam_ssh_agent_auth x86_64 0.9.3-6.4.2.fc22.im intermeta-local 118 k Transaction Summary ============================================================================================================================================================== Install 1 Package Total download size: 118 k Installed size: 2.4 M Is this ok [y/N]: y Downloading Packages: pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64.rpm 5.5 MB/s | 118 kB 00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 5.2 MB/s | 118 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Installing : pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64 1/1 Verifying : pam_ssh_agent_auth-0.9.3-6.4.2.fc22.im.x86_64 1/1 Installed: pam_ssh_agent_auth.x86_64 0.9.3-6.4.2.fc22.im Complete! henning@forge $ sudo su - [root@forge ~]#
Sorry. Last time I tested only with RSA key. I can reproduce the issue with DSA key. It is related to the refactoring in recent versions and I probably missed some piece.
Ok, this was painful debugging. I accidentally pushed there 1 as compat flag to agent sign method, which meant to use compat mode for these keys and it was the root of the whole problem that appeared only with DSA keys. Fix: diff --git a/pam_ssh_agent_auth-0.9.3-agent_structure.patch b/pam_ssh_agent_auth-0.9.3-agent_structure.patch -+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 1) != 0) ++ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0) I will update early. In the meantime, can you make sure this scratch build fixed the issue? It worked for me: http://koji.fedoraproject.org/koji/taskinfo?taskID=10731738
Will try to check tomorrow night; don't have the F22 box today. (that's why I have given up on C programming. I remember line noise patches like this one fondly... :-) ) Thanks for digging into this, this will make a better experience for every Fedora user. I really appreciate the hard work that the whole Fedora community and Redhat put into making this the best Linux distribution all around.
openssh-7.0p1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Yes, that scratch build fixes the problem for me. Thank you so much, Jakub. I switched the status back to ON_QA, the build bot closed the ticket erronuously.
openssh-6.9p1-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
openssh-7.0p1-2.fc23 has been submitted as an update for Fedora 23. https://admin.fedoraproject.org/updates/openssh-7.0p1-2.fc23
openssh-6.9p1-6.fc22.1 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13814
openssh-7.0p1-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/openssh-7.0p1-2.fc23
openssh-7.1p1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13999
openssh-7.1p1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
openssh-6.9p1-6.fc22.1 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.