This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 772641 - ssh hostbased authentification error messages about ssh keysign
ssh hostbased authentification error messages about ssh keysign
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
16
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-09 08:52 EST by Edgar Hoch
Modified: 2012-02-28 09:00 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-28 09:00:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Edgar Hoch 2012-01-09 08:52:30 EST
Description of problem:

When I add to /etc/ssh/sshd_config the line

HostbasedAuthentication yes

and when wie add to /etc/ssh/ssh_config the lines

HostbasedAuthentication yes
EnableSSHKeysign yes

then we get the following error messages when calling "ssh myhost" where "myhost" is listed in /etc/ssh/ssh_known_hosts and in /etc/ssh/shosts.equiv:

could not open any host key
ssh_keysign: no reply
key_sign failed

I called ssh with debug options "-vvv" - here are the important part for the message above:

debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
debug2: userauth_hostbased: chost myhost.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1292
could not open any host key
ssh_keysign: no reply
key_sign failed
debug2: we did not send a packet, disable method


I also set
setsebool allow_ssh_keysign on

but this doesn't change the error messages.


Version-Release number of selected component (if applicable):
openssh-5.8p2-23.fc16.x86_64
selinux-policy-3.10.0-69.fc16.noarch
selinux-policy-targeted-3.10.0-69.fc16.noarch
policycoreutils-2.1.4-13.fc16.x86_64


How reproducible:
Always.

Steps to Reproduce:
1. Modify /etc/ssh/ssh_config like mentioned above
2. Modify /etc/ssh/sshd_config like mentioned above
3. Add remote host key to /etc/ssh/ssh_known_hosts
4. Add remote host name to /etc/ssh/shosts.equiv
5. Connect to remote host using ssh
  
Actual results:
ssh myhost displays the error messages above.

Expected results:
ssh displays no error messages.
Comment 1 Edgar Hoch 2012-01-09 08:53:31 EST
Additional note:

This configuration worked fine in Fedora 15 and previous versions.
Comment 2 Petr Lautrbach 2012-02-03 09:42:35 EST
> could not open any host key
> ssh_keysign: no reply
> key_sign failed

Check your private key files permission. ssh-keysign is set to run as ssh_keys group so key files permissions should look like:

-rw-r-----. 1 root ssh_keys    668 Sep 12 15:00 ssh_host_dsa_key
-rw-r--r--. 1 root root        590 Sep 12 15:00 ssh_host_dsa_key.pub
-rw-r-----. 1 root ssh_keys    965 Sep 12 15:00 ssh_host_key
-rw-r--r--. 1 root root        630 Sep 12 15:00 ssh_host_key.pub
-rw-r-----. 1 root ssh_keys   1679 Sep 12 15:00 ssh_host_rsa_key
-rw-r--r--. 1 root root        382 Sep 12 15:00 ssh_host_rsa_key.pub
Comment 3 Petr Lautrbach 2012-02-08 04:58:35 EST
Did comment #c2 help you? I'm able to configure HostbasedAuthentication on F16 without any problem.
Comment 4 Petr Lautrbach 2012-02-28 09:00:17 EST
Closing this now. Feel free to re-open it if comment #c2 doesn't help you.

Note You need to log in before you can comment on or make changes to this bug.