1405158 – We need /etc/ssh/sshd_config to support multiple files in the AuthorizedKeysFile line, and for sshd to use them in both RHEL 5 and RHEL 6

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1405158 - We need /etc/ssh/sshd_config to support multiple files in the AuthorizedKeysFile line, and for sshd to use them in both RHEL 5 and RHEL 6

Summary: We need /etc/ssh/sshd_config to support multiple files in the AuthorizedKeysF...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	6.8
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	6.9
Assignee:	Jakub Jelen
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-15 17:38 UTC by Greg Scott
Modified:	2020-03-11 15:30 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-01-17 16:27:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Greg Scott 2016-12-15 17:38:18 UTC

Description of problem:

Apparently, every version of sshd since the dawn of time and across all operating systems **except RHEL 5 and RHEL 6**  support multiple files in the AuthorizedKeysFile line of /etc/ssh/sshd_config, and support the default behavior of using .ssh/authorized_keys and .ssh/authorized_keys2 by default.

I have a customer with thousands of RHEL 5 and RHEL 6 systems that needs both RHEL 5 and RHEL 6 to behave in this standard manner. It's basic Linux functionality and it's broken in RHEL 5 and RHEL 6.  sshd apparently does work as expected in RHEL 4 and earlier and works properly in RHEL 7 (see below).

Version-Release number of selected component (if applicable):
openssh-server-5.3p1-118.1.el6_8.x86_64

Apparently 5.3p1-104 at least supports the default behavior.  But earlier and more recent minor versions are broken.

How reproducible:
at will

Steps to Reproduce:
1. Edit /etc/sshd/sshd_config, as follows:
[root@rhel6test ssh]# diff sshd_config sshd_config-original
49c49
< AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
---
> #AuthorizedKeysFile	.ssh/authorized_keys

2. Restart the sshd service
3.

Actual results:
[root@rhel6test ssh]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd: /etc/ssh/sshd_config line 49: garbage at end of line; ".ssh/authorized_keys_greg".
                                                           [FAILED]
[root@rhel6test ssh]# 


Expected results:

sshd should behave the same way that sshd in all other Linux and Unix implementations behave.  It should start cleanly with the updated AuthorizedKeysFile line, and should support passwordless logins for users who have an appropriately formatted .ssh/authorized_keys2 file, even if /etc/ssh/sshd_config has the AuthorizedKeysFile line commented out.

Additional info:

RHEL 6 behaves badly.

[root@rhel6test ssh]# pwd
/etc/ssh
[root@rhel6test ssh]# 
[root@rhel6test ssh]# cp sshd_config sshd_config-original
[root@rhel6test ssh]# nano sshd_config
[root@rhel6test ssh]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd: /etc/ssh/sshd_config line 49: garbage at end of line; ".ssh/authorized_keys_greg".
                                                           [FAILED]
[root@rhel6test ssh]# 
[root@rhel6test ssh]# 
[root@rhel6test ssh]# diff sshd_config sshd_config-original
49c49
< AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
---
> #AuthorizedKeysFile	.ssh/authorized_keys
[root@rhel6test ssh]# 
[root@rhel6test ssh]# 
[root@rhel6test ssh]# rpm -qa | grep ssh
openssh-5.3p1-118.1.el6_8.x86_64
libssh2-1.4.2-1.el6_6.1.x86_64
openssh-server-5.3p1-118.1.el6_8.x86_64
openssh-clients-5.3p1-118.1.el6_8.x86_64
[root@rhel6test ssh]# 

RHEL 7 behaves as expected.

Note the comments in the RHEL 7 variant of /etc/ssh/sshd_config:

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2


[root@rhel7test ~]# cd /etc/ssh
[root@rhel7test ssh]# cp sshd_config sshd_config-original
[root@rhel7test ssh]# nano sshd_config
[root@rhel7test ssh]# 
[root@rhel7test ssh]# systemctl restart sshd.service
[root@rhel7test ssh]# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2016-12-15 11:17:29 CST; 12s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 5959 (sshd)
   CGroup: /system.slice/sshd.service
           └─5959 /usr/sbin/sshd -D

Dec 15 11:17:29 rhel7test sshd[5959]: Server listening on 0.0.0.0 port 22.
Dec 15 11:17:29 rhel7test sshd[5959]: Server listening on :: port 22.
[root@rhel7test ssh]# 
[root@rhel7test ssh]# 
[root@rhel7test ssh]# diff sshd_config sshd_config-original
59c59
< AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
---
> AuthorizedKeysFile	.ssh/authorized_keys
[root@rhel7test ssh]# 
[root@rhel7test ssh]# rpm -qa| grep ssh
openssh-clients-6.6.1p1-25.el7_2.x86_64
libssh2-1.4.3-10.el7_2.1.x86_64
openssh-6.6.1p1-25.el7_2.x86_64
openssh-server-6.6.1p1-25.el7_2.x86_64
[root@rhel7test ssh]#

Comment 2 phillip.jaenke.nonemployee 2016-12-15 17:53:29 UTC

I have been able to confirm that the issue of not reading .ssh/authorized_keys2 when AuthorizedKeysFile is not explicitly set does NOT reproduce with openssh-server-5.3p1-104.el6.x86_64, but DOES occur with openssh-server-5.3p1-94.el6.x86_64 and below. 

This behavior also occurs in 4.3p2-82 in an intermittent fashion, indicating the issue may have been introduced some time ago.

Comment 3 Greg Scott 2016-12-15 18:54:52 UTC

I did some more testing with openssh-server-5.3p1-118.1.el6_8.x86_64.  This version does not support multiple files in the AuthorizedKeysFile line of /etc/ssh/sshd_config, but it does appear to support the desired default behavior.

First, a baseline test:

On my RHEL6 test ssh server -

[root@rhel6test ssh]# cd /root/.ssh
[root@rhel6test .ssh]# ls
authorized_keys  known_hosts

And from this laptop - no password prompt, as expected:

[gscott@gscott]$ 
[gscott@gscott]$ ssh root.10.125
Last login: Thu Dec 15 12:39:08 2016 from 10.10.10.121
[root@rhel6test ~]# logout
Connection to 10.10.10.125 closed.


Now a test using .sshh/authorized_keys2 on the ssh server -

[root@rhel6test .ssh]# mv authorized_keys authorized_keys2
[root@rhel6test .ssh]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
[root@rhel6test .ssh]# ls
authorized_keys2  known_hosts

And from my ssh client on this laptop - password-less, as expected:

[gscott@gscott]$ ssh root.10.125
Last login: Thu Dec 15 12:39:56 2016 from 10.10.10.121
[root@rhel6test ~]# logout
Connection to 10.10.10.125 closed.


So far so good. This next test should prompt for a password.

On the server -

[root@rhel6test .ssh]# mv authorized_keys2 authorized_keysgreg
[root@rhel6test .ssh]# 

And from the client - I do have to enter a password, as expected.

[gscott@gscott]$ ssh root.10.125
root.10.125's password: 
Last login: Thu Dec 15 12:39:25 2016 from 10.10.10.121
[root@rhel6test ~]# logout
Connection to 10.10.10.125 closed.


So the big deal is to support multiple files in /etc/ssh/sshd_config.  I'll update the title to reflect this.

- Greg

Comment 10 Jakub Jelen 2017-01-17 16:27:56 UTC

Closing. We will not fix this feature request in RHEL6.9 and copying out the possible solutions to the "problem":

Manual page for  sshd_config  in RHEL6 explicitly states that AuthorizedKeysFile accepts single argument with the file.

 * As an workaround, there is AuthorizedKeysFile2 with its default value ".ssh/authorized_keys2", which is used as the second file (undocumented, works fine as you pointed out).

 * The other workaround that can be used is a wrapper script in AuthorizedKeysCommand, that can internally read as much files as you want.

Note You need to log in before you can comment on or make changes to this bug.