Bug 1497680 - ssh from rhel7 to rhel7 not working on 7.4, But working to rhel6
Summary: ssh from rhel7 to rhel7 not working on 7.4, But working to rhel6
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.4
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: BaseOS QE Security Team
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: 1477664
TreeView+ depends on / blocked
 
Reported: 2017-10-02 12:52 UTC by amitkuma
Modified: 2018-10-03 08:47 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
Authentication using *ssh-agent* other than the one from *OpenSSH* fails *OpenSSH* since version 7.4 negotiates the SHA-2 signature extension by default. Consequently, if a signature is provided by the *ssh-agent* program that is not from the current *OpenSSH* suite and that does not know the SHA-2 extension, authentication fails. To ensure correct authentication, use the *OpenSSH ssh-agent* to provide signatures.
Clone Of:
Environment:
Last Closed: 2018-09-17 12:00:38 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description amitkuma 2017-10-02 12:52:04 UTC
Description of problem:
Windows Machine    rhel-7-3    rhel-7.2    rhel-6
      |
SC -->|
   # ssh rhel-7-1	//Works fine
   rhel-7-3$ ssh rhel-6 //Works fine
   rhel-7-3$ ssh rhel-7.2 //Works fine

Windows Machine    rhel7-4    rhel7-4-1    rhel-6
      |
SC--> |
   # ssh rhel-7-4 //Works fine
   rhel-7-4$ ssh rhel-6 //Works fine
   rhel-7-4$ ssh rhel7-4-1 //Broken

Note: 
 - SC means Smart card
 - Public keys present on rhel6, rhel7.4, rhel7.3 inside ( ~/.ssh/authorized_keys) are all same.
 - There are no issues in login from rhel7.3 to rhel7.3, rhel6 etc

Issue is only b/w rhel7.4 to rhel7.4

Additional info:
From our server to a rhel6 server:

debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp SHA256:IdElDYHHdZoi83s+VK0ls/qE62KMAe/Nlr0mftMmCZk
debug3: sign_and_send_pubkey: RSA SHA256:IdElDYHHdZoi83s+VK0ls/qE62KMAe/Nlr0mftMmCZk
This connection works

From our server to a rhel7 server:

debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:IdElDYHHdZoi83s+VK0ls/qE62KMAe/Nlr0mftMmCZk
debug3: sign_and_send_pubkey: RSA SHA256:IdElDYHHdZoi83s+VK0ls/qE62KMAe/Nlr0mftMmCZk
This connection does not work.

Version-Release number of selected component (if applicable):
openssh-7.4p1-11.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Login to RHEL-7.4 box.
2. Try login to rhel7.4-1. get this error.
rhel-7-4$  ssh rhel7-4-1
sign_and_send_pubkey: signing failed: agent refused operation
Enter passphrase for key '/home/net/allhoff/.ssh/id_rsa': 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

Actual results:
7.4 to 7.4 smart card login failed

Expected results:
7.4 to 7.4 smart card login should work properly

Additional info:

Comment 2 Jakub Jelen 2017-10-02 14:50:13 UTC
This is a problem with SSH extension negotiation in RHEL7.4 [1], namely the server-sig-algs" [2].

Connecting two RHEL7.4 negotiates SHA2 extension and attempts to use use rsa-sha2-512 signature algorithm (you should not use SHA1 in close future anyway). But this algorithm is not supported by the software talking the ssh-agent protocol so it fails.

First thing that should resolve this without backing down to SHA-1 would be implementing a support for this extension in your software talking ssh-agent protocol (PuTTY Pageant or whatever forwards the socket on the windows machine). It does silently accept unknown flags and produces (wrong) SHA-1 signature regardless [3].

Unfortunately, at this moment I do not see any fallback mechanism or way how to disable it from OpenSSH point of view. Once this extension is negotiated, it starts using SHA512 regardless any other configuration. I will try to see what is upstream opinion about this and if there is something we can do.

[1] https://tools.ietf.org/html/draft-ietf-curdle-ssh-ext-info-10
[2] https://tools.ietf.org/html/draft-ietf-curdle-ssh-ext-info-10#section-3.1
[3] https://tools.ietf.org/html/draft-miller-ssh-agent-00#section-4.2

Comment 13 Hemant B Khot 2017-10-30 17:21:24 UTC
//Internal:

Facing issue while installing packages.


[root@rhel7u4-5 ~]# hostname
rhel7u4-5.gsslab.pek2.redhat.com
[root@rhel7u4-5 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.4 (Maipo)
[root@rhel7u4-5 ~]# rpm -qa|grep -i ssh
openssh-clients-7.4p1-11.el7.x86_64
libssh2-1.4.3-10.el7_2.1.x86_64
openssh-7.4p1-11.el7.x86_64
openssh-server-7.4p1-11.el7.x86_64
[root@rhel7u4-5 ~]# 
[root@rhel7u4-5 ssh-bz1497680]# rpm -ivh openssh-* pam_ssh_agent_auth-0.10.3-1.13.el7.x86_64.rpm 
error: Failed dependencies:
	libatk-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libcairo.so.2()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libfontconfig.so.1()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libgdk-x11-2.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libgtk-x11-2.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libpango-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libpangocairo-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libpangoft2-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
Updating / installing...
   1:openssh-7.4p1-13.1.bz1497680.el7 ################################# [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root

[root@rhel7u4-5 ssh-bz1497680]# adduser mockbuild
[root@rhel7u4-5 ssh-bz1497680]# id mockbuild
uid=1000(mockbuild) gid=1000(mockbuild) groups=1000(mockbuild)
[root@rhel7u4-5 ssh-bz1497680]# rpm -ivh openssh-* pam_ssh_agent_auth-0.10.3-1.13.el7.x86_64.rpm 
error: Failed dependencies:
	libatk-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libcairo.so.2()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libfontconfig.so.1()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libgdk-x11-2.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libgtk-x11-2.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libpango-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libpangocairo-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
	libpangoft2-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64
Updating / installing...
   1:openssh-7.4p1-13.1.bz1497680.el7 ################################# [100%]
[root@rhel7u4-5 ssh-bz1497680]#

Comment 20 Jakub Jelen 2017-12-11 09:56:27 UTC
It is a client option, not the server one, as I wrote in the comment #15:

> please put "AgentUseSHA2 no" into ssh_config and try if you will see any difference.

Comment 24 Nikos Mavrogiannopoulos 2018-09-17 12:00:38 UTC
This is an issue in the client agent. The RHEL7 openssh uses features available in the RHEL7 openssh agent, and we cannot guarantee that any 3rd party agent will work with it.


Note You need to log in before you can comment on or make changes to this bug.