Bug 1493406 - Regression: SSH authorized_keys now has strict syntax WRT to spaces
Summary: Regression: SSH authorized_keys now has strict syntax WRT to spaces
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: BaseOS QE Security Team
Mirek Jahoda
: 1498614 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2017-09-20 06:46 UTC by Stef Walter
Modified: 2019-02-11 15:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
Parsing of *OpenSSH* public keys is more strict Previously, the parsing of public keys was changed to be more strict. As a consequence, additional spaces between the key type string and the key blob string are no longer ignored, and login attempts with such keys now fail. To work around this problem, ensure that there is only one space character between the key type and the key blob.
Clone Of:
Last Closed: 2019-02-11 15:39:20 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
OpenSSH Project 2786 0 None None None 2019-06-11 15:17:43 UTC

Description Stef Walter 2017-09-20 06:46:27 UTC
Description of problem:

The SSH authorized_keys parsing used to accept keys that looked like this (notice the double space).

ssh-rsa  AAAAB3NzaC1yc2EAAAAB....

However once upgrading to the most recent OpenSSH in RHEL at this time, the spaces must be removed for sshd to recognize the key. 

ssh-rsa  AAAAB3NzaC1yc2EAAAAB....

This can cause customers to lose access to systems. We discovered this in the Cockpit CI system.

Version-Release number of selected component (if applicable):

Regression happened when upgrading between the following versions:


How reproducible:

Every time:

Steps to Reproduce:
1. Ensure target system has openssh-server-7.4p1-12.el7_4.x86_64 running
2. Add additional spaces to ssh key in authorized_keys on target system
3. Try to log in to the target system

Actual results:

Key is not parsed, login fails.

Expected results:

Key is used to log in.

Additional info:

Possible related log entries.

sshd[67092]: debug1: trying public key file /root/.ssh/authorized_keys
sshd[67092]: debug1: fd 4 clearing O_NONBLOCK
sshd[67092]: debug2: user_key_allowed: check options: 'ssh-rsa '
sshd[67092]: debug2: user_key_allowed: advance: ''
sshd[67092]: debug2: key not found

Comment 2 Stef Walter 2017-09-20 06:56:16 UTC
Hmmm, I pasted bad. Here's an authorized_key line that used to work, but no longer does:

ssh-rsa  AAAAB3NzaC1yc2EAAAAB.... blah

Here's an authorized_key line that works on both old and now openssh:

ssh-rsa AAAAB3NzaC1yc2EAAAAB.... blah

Comment 6 Jakub Jelen 2017-09-27 14:46:21 UTC
This change was introduced in 2014 (openssh-6.7) with the commit [1], in (ssh)key.c method (ssh)key_read(), which is parsing the public key from buffer. The old uudecode() method was replaced by the new sshbuf_b64tod() buffer call. The first method was skipping leading and trailing whitespace, but the second one is not (also it is already getting a "zero-length buffer" as an argument -- strchr(cp, ' ') returns the immediately following space).

The fix can look like introducing the skipping of the whitespace in the sshkey_read() function, but as already mentioned, I am not sure how 3 years old bug will be accepted. Though lets give it a try. The following patch will allow me reading the keys with more whitespace characters between key identificator and the key blob:

diff --git a/sshkey.c b/sshkey.c
index fe874043..f5cf3bef 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1210,6 +1210,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
 		if ((blob = sshbuf_new()) == NULL)
 			return SSH_ERR_ALLOC_FAIL;
+		/* skip whitespace */
+		for (; *cp == ' ' || *cp == '\t'; cp++)
+			;
 		/* trim comment */
 		space = strchr(cp, ' ');
 		if (space) {

Let's see upstream opinions.

[1] https://github.com/openssh/openssh-portable/commit/8668706d

Comment 7 Jakub Jelen 2017-10-05 07:17:34 UTC
*** Bug 1498614 has been marked as a duplicate of this bug. ***

Comment 8 Jakub Jelen 2018-03-19 11:58:00 UTC
FYI, this was fixed upstream and will be in OpenSSH 7.7 release, but in rather more complicated form than I proposed.

We will probably not be able to backport the upstream fix, because it depends on removing the SSHv1 keys, but we might be able to achieve something similar if we would consider this as important enough.

Comment 9 Simo Sorce 2019-02-11 15:39:20 UTC
This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Note You need to log in before you can comment on or make changes to this bug.