Bug 473014 (SSHKeyLabel) - User key authentication fails in ssh from F10 client to F10 server
Summary: User key authentication fails in ssh from F10 client to F10 server
Status: CLOSED NOTABUG
Alias: SSHKeyLabel
Product: Fedora
Classification: Fedora
Component: openssh
Version: 10
Hardware: i686
OS: Linux
medium
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
: 466199 476362 481079 491032 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-26 02:59 UTC by Nick Urbanik
Modified: 2009-03-19 07:31 UTC (History)
9 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2008-11-28 10:09:40 UTC


Attachments (Terms of Use)
Running /usr/sbin/sshd -ddd on laptop (17.28 KB, text/plain)
2008-11-26 20:35 UTC, Nick Urbanik
no flags Details
Result of running ssh -vvv (11.11 KB, text/plain)
2008-11-26 20:37 UTC, Nick Urbanik
no flags Details

Description Nick Urbanik 2008-11-26 02:59:13 UTC
Description of problem:

I have used public key user authentication for many years.  After my
yum upgrade from rawhide to f10, public key authentication fails.

I have verified that the appropriate keys are in the agent with
ssh-add -l

I have re-checked the fingerprints in the ~/.ssh/authorized_keys file
on the remote machine, and verified that they match the fingerprint
displayed with ssh-add -l.

I have made the home directories in both the local and remote machines
have permission 0700.  I have also ensured that the ~/.ssh directory
on both the local and remote machine have permission 0700.  I have
verified that all the files in ~/.ssh on both the local and remote
machines have permission 0600.

The problem is also described here:
http://fedora-sparks.blogspot.com/2008/09/updated-ssh-authentication-fail.html

Version-Release number of selected component (if applicable):

openssh-clients-5.1p1-3.fc10.i386

How reproducible:


Steps to Reproduce:
1. Upgrade from rawhide to f10 using yum upgrade.
2. ssh to another machine, also running f10, where the user public key
   is correctly installed in the ~/.ssh/authorized_keys file.
3. See the prompt for the password.
  
Actual results:

Am prompted for the password.

Expected results:

Expect to be logged in, authenticated by the public user key, as has
always worked previously.

Additional info:

The log in using the password is successful.  However, there are some
other machines for which I do not have the password, but have my key
in the authorized_keys file.  This may prevent me from doing my work.

Comment 1 Tomas Mraz 2008-11-26 08:34:14 UTC
Can you please attach debug logs from the client as well as server?

Run the server as /usr/sbin/sshd -ddd
And the client as ssh -vvv <user@server>

Comment 2 Anne 2008-11-26 18:54:53 UTC
My install started cleanly from snapshot 3 and has simply been upgraded by yum.  ssh + keys is working perfectly here.

Comment 3 Nick Urbanik 2008-11-26 20:35:54 UTC
Created attachment 324793 [details]
Running /usr/sbin/sshd -ddd on laptop

Comment 4 Nick Urbanik 2008-11-26 20:37:10 UTC
Created attachment 324794 [details]
Result of running ssh -vvv

Comment 5 Nick Urbanik 2008-11-26 20:46:07 UTC
Yes, I see that I can connect from the laptop to the desktop machine
(the other way round).  Need investigate the pam setup, the /etc/ssh*_config
files further.

Comment 6 Tomas Mraz 2008-11-26 22:27:51 UTC
I do not see pubkey authentication failure in the log but rather some problem with PAM open session. Do you see anything related in /var/log/secure on the ssh server?

Comment 7 Nick Urbanik 2008-11-26 23:47:19 UTC
Only the sshd[...]: reverse mapping checking getaddrinfo for .... [...] failed - POSSIBLE BREAK-IN ATTEMPT!
These have occurred in the logs for some time before this authentication problem arose.

Comment 8 Nick Urbanik 2008-11-27 20:06:02 UTC
When I turn off selinux on the laptop, the problem disappears.
I have yum upgraded these machines through each Fedora release over many years.
I will try relabelling the filesystems on these machines, and indicate here whether this solves the problem.

Comment 9 Tomas Mraz 2008-11-27 20:55:58 UTC
Do you see any related AVCs in ausearch -m AVC output?

Comment 10 Nick Urbanik 2008-11-28 10:03:36 UTC
Okay, it is solved by doing

sudo restorecon -r ~/.ssh

Here is some of the output of ausearch -m AVC before I did this:

time->Fri Nov 28 20:10:40 2008
type=SYSCALL msg=audit(1227863440.638:683): arch=40000003 syscall=5 success=no exit=-13 a0=b8f08ef0 a1=8800 a2=0 a3=8800 items=0 ppid=1760 pid=12649 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1227863440.638:683): avc:  denied  { search } for  pid=12649 comm="sshd" name=".ssh" dev=sda6 ino=130817 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir

Comment 11 Nick Urbanik 2008-11-28 10:09:40 UTC
I suppose this is now solved for me.

I think that others may still be bitten by this.

Even doing sudo touch /.autorelabel and having the filesystem relabelled at the reboot did not solve the problem for me.  I needed to change to the home directory and there do sudo restorecon -r .ssh

Only then did the .ssh/* files' label change to system_u:object_r:ssh_home_t

At least this bug gives people a solution to google for.

Comment 12 Daniel Walsh 2008-12-04 14:22:18 UTC
Ok I think I found the problem,  that file should not become unlabeled_t on an upgrade, so in selinux-policy-3.5.13-31 I will get it labeled correctly.

Comment 13 Nick Urbanik 2008-12-04 20:07:11 UTC
Excellent work Daniel!  Thank you.

Comment 14 Tomas Mraz 2008-12-15 08:33:27 UTC
*** Bug 476362 has been marked as a duplicate of this bug. ***

Comment 15 Tomas Mraz 2009-01-12 18:54:27 UTC
*** Bug 466199 has been marked as a duplicate of this bug. ***

Comment 16 Tomas Mraz 2009-02-12 15:48:22 UTC
*** Bug 481079 has been marked as a duplicate of this bug. ***

Comment 17 Tomas Mraz 2009-03-19 07:31:38 UTC
*** Bug 491032 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.