← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #31491

[Bug 1389167] [NEW] HostbasedAuthentication produces spurious warnings

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Ubuntu 14.04.1 LTS
openssh-client 1:6.6p1-2ubuntu2

We have HostbasedAuthentication set up in our environment so that users
can ssh between equivalent hosts without a password.

ssh_config contains (relevantly)

HostbasedAuthentication yes
PreferredAuthentications publickey,hostbased,password,keyboard-interactive
EnableSSHKeysign yes

sshd_config contains (relevantly)

HostbasedAuthentication yes

This works:

ocelot:~$ ssh othermc
othermc:~$

However, ssh-ing as an alternative user produces additional warning
messages before the expected password prompt:

ocelot:~$ ssh otheruser@othermc
no matching hostkey found
ssh_keysign: no reply
key_sign failed
otheruser@othermc's password:

If instead of relying on EnableSSHKeysign in ssh_config I make the ssh
binary setuid:

chmod u+s /usr/bin/ssh

...the extra warnings go away and I get what I expect:

ocelot:~$ ssh otheruser@othermc
otheruser@othermc's password:

This makes me suspect that there may be a problem with ssh-keysign.

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1389167

Title:
  HostbasedAuthentication produces spurious warnings

Status in “openssh” package in Ubuntu:
  New

Bug description:
  Ubuntu 14.04.1 LTS
  openssh-client 1:6.6p1-2ubuntu2

  We have HostbasedAuthentication set up in our environment so that
  users can ssh between equivalent hosts without a password.

  ssh_config contains (relevantly)

  HostbasedAuthentication yes
  PreferredAuthentications publickey,hostbased,password,keyboard-interactive
  EnableSSHKeysign yes

  sshd_config contains (relevantly)

  HostbasedAuthentication yes

  This works:

  ocelot:~$ ssh othermc
  othermc:~$

  However, ssh-ing as an alternative user produces additional warning
  messages before the expected password prompt:

  ocelot:~$ ssh otheruser@othermc
  no matching hostkey found
  ssh_keysign: no reply
  key_sign failed
  otheruser@othermc's password:

  If instead of relying on EnableSSHKeysign in ssh_config I make the ssh
  binary setuid:

  chmod u+s /usr/bin/ssh

  ...the extra warnings go away and I get what I expect:

  ocelot:~$ ssh otheruser@othermc
  otheruser@othermc's password:

  This makes me suspect that there may be a problem with ssh-keysign.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1389167/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next