RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1493406 - Regression: SSH authorized_keys now has strict syntax WRT to spaces
Summary: Regression: SSH authorized_keys now has strict syntax WRT to spaces
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: BaseOS QE Security Team
Mirek Jahoda
URL:
Whiteboard:
: 1498614 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-20 06:46 UTC by Stef Walter
Modified: 2019-02-11 15:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
Parsing of *OpenSSH* public keys is more strict Previously, the parsing of public keys was changed to be more strict. As a consequence, additional spaces between the key type string and the key blob string are no longer ignored, and login attempts with such keys now fail. To work around this problem, ensure that there is only one space character between the key type and the key blob.
Clone Of:
Environment:
Last Closed: 2019-02-11 15:39:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenSSH Project 2786 0 None None None 2019-06-11 15:17:43 UTC

Description Stef Walter 2017-09-20 06:46:27 UTC 
Description of problem:

The SSH authorized_keys parsing used to accept keys that looked like this (notice the double space).

ssh-rsa  AAAAB3NzaC1yc2EAAAAB....

However once upgrading to the most recent OpenSSH in RHEL at this time, the spaces must be removed for sshd to recognize the key. 

ssh-rsa  AAAAB3NzaC1yc2EAAAAB....

This can cause customers to lose access to systems. We discovered this in the Cockpit CI system.

Version-Release number of selected component (if applicable):

Regression happened when upgrading between the following versions:

openssh-server-6.6.1p1-31.el7.x86_64
openssh-server-7.4p1-12.el7_4.x86_64

How reproducible:

Every time:

Steps to Reproduce:
1. Ensure target system has openssh-server-7.4p1-12.el7_4.x86_64 running
2. Add additional spaces to ssh key in authorized_keys on target system
3. Try to log in to the target system


Actual results:

Key is not parsed, login fails.

Expected results:

Key is used to log in.

Additional info:

Possible related log entries.

sshd[67092]: debug1: trying public key file /root/.ssh/authorized_keys
sshd[67092]: debug1: fd 4 clearing O_NONBLOCK
sshd[67092]: debug2: user_key_allowed: check options: 'ssh-rsa '
sshd[67092]: debug2: user_key_allowed: advance: ''
sshd[67092]: debug2: key not found
Comment 2 Stef Walter 2017-09-20 06:56:16 UTC 
Hmmm, I pasted bad. Here's an authorized_key line that used to work, but no longer does:

ssh-rsa  AAAAB3NzaC1yc2EAAAAB.... blah

Here's an authorized_key line that works on both old and now openssh:

ssh-rsa AAAAB3NzaC1yc2EAAAAB.... blah
Comment 6 Jakub Jelen 2017-09-27 14:46:21 UTC 
This change was introduced in 2014 (openssh-6.7) with the commit [1], in (ssh)key.c method (ssh)key_read(), which is parsing the public key from buffer. The old uudecode() method was replaced by the new sshbuf_b64tod() buffer call. The first method was skipping leading and trailing whitespace, but the second one is not (also it is already getting a "zero-length buffer" as an argument -- strchr(cp, ' ') returns the immediately following space).

The fix can look like introducing the skipping of the whitespace in the sshkey_read() function, but as already mentioned, I am not sure how 3 years old bug will be accepted. Though lets give it a try. The following patch will allow me reading the keys with more whitespace characters between key identificator and the key blob:

diff --git a/sshkey.c b/sshkey.c
index fe874043..f5cf3bef 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1210,6 +1210,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
 			return SSH_ERR_KEY_TYPE_MISMATCH;
 		if ((blob = sshbuf_new()) == NULL)
 			return SSH_ERR_ALLOC_FAIL;
+		/* skip whitespace */
+		for (; *cp == ' ' || *cp == '\t'; cp++)
+			;
 		/* trim comment */
 		space = strchr(cp, ' ');
 		if (space) {

Let's see upstream opinions.

[1] https://github.com/openssh/openssh-portable/commit/8668706d
Comment 7 Jakub Jelen 2017-10-05 07:17:34 UTC 
*** Bug 1498614 has been marked as a duplicate of this bug. ***
Comment 8 Jakub Jelen 2018-03-19 11:58:00 UTC 
FYI, this was fixed upstream and will be in OpenSSH 7.7 release, but in rather more complicated form than I proposed.

We will probably not be able to backport the upstream fix, because it depends on removing the SSHv1 keys, but we might be able to achieve something similar if we would consider this as important enough.
Comment 9 Simo Sorce 2019-02-11 15:39:20 UTC 
This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.
Note You need to log in before you can comment on or make changes to this bug.