Bug 772641 - ssh hostbased authentification error messages about ssh keysign
Summary: ssh hostbased authentification error messages about ssh keysign
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-09 13:52 UTC by Edgar Hoch
Modified: 2012-02-28 14:00 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-28 14:00:17 UTC
Type: ---


Attachments (Terms of Use)

Description Edgar Hoch 2012-01-09 13:52:30 UTC
Description of problem:

When I add to /etc/ssh/sshd_config the line

HostbasedAuthentication yes

and when wie add to /etc/ssh/ssh_config the lines

HostbasedAuthentication yes
EnableSSHKeysign yes

then we get the following error messages when calling "ssh myhost" where "myhost" is listed in /etc/ssh/ssh_known_hosts and in /etc/ssh/shosts.equiv:

could not open any host key
ssh_keysign: no reply
key_sign failed

I called ssh with debug options "-vvv" - here are the important part for the message above:

debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
debug2: userauth_hostbased: chost myhost.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1292
could not open any host key
ssh_keysign: no reply
key_sign failed
debug2: we did not send a packet, disable method


I also set
setsebool allow_ssh_keysign on

but this doesn't change the error messages.


Version-Release number of selected component (if applicable):
openssh-5.8p2-23.fc16.x86_64
selinux-policy-3.10.0-69.fc16.noarch
selinux-policy-targeted-3.10.0-69.fc16.noarch
policycoreutils-2.1.4-13.fc16.x86_64


How reproducible:
Always.

Steps to Reproduce:
1. Modify /etc/ssh/ssh_config like mentioned above
2. Modify /etc/ssh/sshd_config like mentioned above
3. Add remote host key to /etc/ssh/ssh_known_hosts
4. Add remote host name to /etc/ssh/shosts.equiv
5. Connect to remote host using ssh
  
Actual results:
ssh myhost displays the error messages above.

Expected results:
ssh displays no error messages.

Comment 1 Edgar Hoch 2012-01-09 13:53:31 UTC
Additional note:

This configuration worked fine in Fedora 15 and previous versions.

Comment 2 Petr Lautrbach 2012-02-03 14:42:35 UTC
> could not open any host key
> ssh_keysign: no reply
> key_sign failed

Check your private key files permission. ssh-keysign is set to run as ssh_keys group so key files permissions should look like:

-rw-r-----. 1 root ssh_keys    668 Sep 12 15:00 ssh_host_dsa_key
-rw-r--r--. 1 root root        590 Sep 12 15:00 ssh_host_dsa_key.pub
-rw-r-----. 1 root ssh_keys    965 Sep 12 15:00 ssh_host_key
-rw-r--r--. 1 root root        630 Sep 12 15:00 ssh_host_key.pub
-rw-r-----. 1 root ssh_keys   1679 Sep 12 15:00 ssh_host_rsa_key
-rw-r--r--. 1 root root        382 Sep 12 15:00 ssh_host_rsa_key.pub

Comment 3 Petr Lautrbach 2012-02-08 09:58:35 UTC
Did comment #c2 help you? I'm able to configure HostbasedAuthentication on F16 without any problem.

Comment 4 Petr Lautrbach 2012-02-28 14:00:17 UTC
Closing this now. Feel free to re-open it if comment #c2 doesn't help you.


Note You need to log in before you can comment on or make changes to this bug.