1333498 – Regression in certificate based authentication in openssh 7.2.

Bug 1333498 - Regression in certificate based authentication in openssh 7.2.

Summary: Regression in certificate based authentication in openssh 7.2.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssh
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Jakub Jelen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-05 16:23 UTC by Jamie Beverly
Modified:	2016-06-18 18:40 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openssh-7.2p2-7.fc24
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-18 18:40:14 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenSSH Project	2550	0	None	None	None	2016-05-05 16:23:44 UTC

Description Jamie Beverly 2016-05-05 16:23:44 UTC

Description of problem:

Regression in certificate based authentication in openssh 7.2.

upstream bug (with fix): https://bugzilla.mindrot.org/show_bug.cgi?id=2550

(same bug on ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1575961 )

Version-Release number of selected component (if applicable):
openssh 7.2, commit 4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8

How reproducible:

100%

Steps to Reproduce:
1. Load certificate with private key into agent, but don't load the private key separately
2. attempt to authenticate.
3.

Actual results: Certificate is rejected, and authentication fails

Expected results: Certificate is seen as certified, and authentication succeeds.


Additional info:
This bug also affects users not using ssh-agent when using using IdentityFile when a <key>-cert.pub is found because of the ordering dependency in authctxt.

Comment 1 Jakub Jelen 2016-05-06 07:28:09 UTC

Thank you for the report. It sounds reasonable to fix this. I will provide update soon.

Comment 2 Fedora Update System 2016-06-06 16:02:13 UTC

openssh-7.2p2-7.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-57cec0322d

Comment 3 Fedora Update System 2016-06-06 17:56:35 UTC

openssh-7.2p2-7.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-57cec0322d

Comment 4 Fedora Update System 2016-06-18 18:40:07 UTC

openssh-7.2p2-7.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.