FS#18781 - [openssh] version 5.4 can break public key authentication

Attached to Project: Arch Linux
Opened by Adrian C. (anrxc) - Sunday, 21 March 2010, 22:30 GMT
Last edited by Dan Griffiths (Ghost1227) - Friday, 30 April 2010, 01:22 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Aaron Griffin (phrakture)
Architecture All
Severity Very Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 4
Private No

Details

Hello,
after installing openssh 5.4p1 I noticed my public key no longer works. I switched the LogLevel to DEBUG and found the following:

debug1: trying public key file //.ssh/authorized_keys
...
Failed publickey for anrxc from 127.0.0.1 port 43457 ssh2


The default sshd_config file has the setting:
#AuthorizedKeysFile .ssh/authorized_keys

(my own has it uncommented)

The sshd_config manual page says the default is:
.ssh/authorized_keys

But it seems that in 5.4 it is no longer relative to the user home and I had to change it to:
AuthorizedKeysFile %h/.ssh/authorized_keys

I see the arch PKGBUILD modifies some settings in the sshd_config file. Maybe this one should be changed too, I leave that for your consideration - note that _I_ found no documentation related to this change.
This task depends upon

Closed by  Dan Griffiths (Ghost1227)
Friday, 30 April 2010, 01:22 GMT
Reason for closing:  Upstream
Additional comments about closing:  Fixed in 5.5
Comment by Casey Banner (kcbanner) - Monday, 22 March 2010, 16:22 GMT
If you are using SSH2 then the public keys belong in .ssh/authorized_keys2

I do not think this is a bug.
Comment by Adrian C. (anrxc) - Monday, 22 March 2010, 17:46 GMT
In OpenSSH the use of authorized_keys2 is discouraged since 2002 or something? We are well past the v1 of the protocol.

Besides that is not the point of my report. The point is that ".ssh/something-or-other" is no longer expanded as "/home/$USER/.ssh/something-or-other" as my log messages demonstrated.
Comment by Aaron Griffin (phrakture) - Monday, 22 March 2010, 18:00 GMT
Please read the bug before sending closure requests. The bug is NOT that authorized_keys is deprecated, it's that the sshd_config value for AuthorizedKeysFile is no longer relative to the user's home dir.
Comment by doc kane (doc) - Thursday, 25 March 2010, 18:12 GMT
Same happened to me. It was really ugly since the involved systems are runnning headless.
Comment by Malte Rabenseifner (Zearan) - Tuesday, 30 March 2010, 05:04 GMT
Problem and solution confirmed, thank you very much, Adrian!
Comment by S. D. D. (dedioste) - Tuesday, 30 March 2010, 15:34 GMT
Same here, SSH stopped working after update to openssh 5.4.1.
I'll look into it as soon as i get home, where the affected box is.
Comment by Aaron Griffin (phrakture) - Wednesday, 31 March 2010, 19:50 GMT
Is adding the following to the sshd_config sed expression good enough?

s|^#AuthorizedKeysFile .ssh/authorized_keys|#AuthorizedKeysFile %h/.ssh/authorized_keys|g

Keep in mind this value is commented by default and comes direct from upstream. But, we fiddle with this file anyway, so modifying this is not a big issue
Comment by Adrian C. (anrxc) - Wednesday, 31 March 2010, 23:40 GMT
Did anyone notice any other problems with public keys? What I noticed today is that connecting from openssh 5.4 to 5.4 my id_rsa.pub key doesn't work, while the very same key works if I am connecting to a server running 5.3. It is late, I will debug tomorrow, and report back.
Comment by John Wilkinson (jowilkin) - Thursday, 01 April 2010, 06:35 GMT
I think I was hit by this same "bug". It was quite a pain, since on my machine for instance password authentication was disabled.

Another solution is to leave the line commented out. I don't know if this has any security implications compared to using the %h/.ssh.... solution.
Comment by Adrian C. (anrxc) - Thursday, 01 April 2010, 10:28 GMT
My problem with the actual keys was just another configuration error, but this time mine.
Comment by Aaron Griffin (phrakture) - Thursday, 01 April 2010, 13:30 GMT
@jowilkin: It *is* commented out. This is not an arch bug, as our stock config comes with the line commented.

The bug is in informing the end user of this change, that is all
Comment by John Wilkinson (jowilkin) - Thursday, 01 April 2010, 15:30 GMT
Yes I agree about the nature of the bug. My comment was to inform other users with this problem that they coul fix it by re-commenting the line.

There is a tendancy I think when enabling an option like key auth to uncomment lines that seem pertinent such as this one. I want to point out is uneccessary to do so for this variable.
Comment by Adrian C. (anrxc) - Thursday, 01 April 2010, 15:35 GMT
It was already demonstrated a lot of people use authorized_keys2 and so on, think about them too... :)

Thing is, this "feature" is not mentioned in the release notes, not documented, manual page is unchaged... so it is uncertain when they will change something upstream. If Arch wanted to protect its users it could have changed it, but now openssh is already in core and the damage was done. From here it will probably get better, less and less users have pending upgrades, this report already got exposure... I as the original reporter am okay either way.
Comment by Adrian C. (anrxc) - Tuesday, 27 April 2010, 19:31 GMT
Changes since OpenSSH 5.4
=========================
* Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative paths

Fixed :)

Loading...