FS#18781 - [openssh] version 5.4 can break public key authentication
Attached to Project:
Arch Linux
Opened by Adrian C. (anrxc) - Sunday, 21 March 2010, 22:30 GMT
Last edited by Dan Griffiths (Ghost1227) - Friday, 30 April 2010, 01:22 GMT
Opened by Adrian C. (anrxc) - Sunday, 21 March 2010, 22:30 GMT
Last edited by Dan Griffiths (Ghost1227) - Friday, 30 April 2010, 01:22 GMT
|
Details
Hello,
after installing openssh 5.4p1 I noticed my public key no longer works. I switched the LogLevel to DEBUG and found the following: debug1: trying public key file //.ssh/authorized_keys ... Failed publickey for anrxc from 127.0.0.1 port 43457 ssh2 The default sshd_config file has the setting: #AuthorizedKeysFile .ssh/authorized_keys (my own has it uncommented) The sshd_config manual page says the default is: .ssh/authorized_keys But it seems that in 5.4 it is no longer relative to the user home and I had to change it to: AuthorizedKeysFile %h/.ssh/authorized_keys I see the arch PKGBUILD modifies some settings in the sshd_config file. Maybe this one should be changed too, I leave that for your consideration - note that _I_ found no documentation related to this change. |
This task depends upon
Closed by Dan Griffiths (Ghost1227)
Friday, 30 April 2010, 01:22 GMT
Reason for closing: Upstream
Additional comments about closing: Fixed in 5.5
Friday, 30 April 2010, 01:22 GMT
Reason for closing: Upstream
Additional comments about closing: Fixed in 5.5
I do not think this is a bug.
Besides that is not the point of my report. The point is that ".ssh/something-or-other" is no longer expanded as "/home/$USER/.ssh/something-or-other" as my log messages demonstrated.
I'll look into it as soon as i get home, where the affected box is.
s|^#AuthorizedKeysFile .ssh/authorized_keys|#AuthorizedKeysFile %h/.ssh/authorized_keys|g
Keep in mind this value is commented by default and comes direct from upstream. But, we fiddle with this file anyway, so modifying this is not a big issue
Another solution is to leave the line commented out. I don't know if this has any security implications compared to using the %h/.ssh.... solution.
The bug is in informing the end user of this change, that is all
There is a tendancy I think when enabling an option like key auth to uncomment lines that seem pertinent such as this one. I want to point out is uneccessary to do so for this variable.
Thing is, this "feature" is not mentioned in the release notes, not documented, manual page is unchaged... so it is uncertain when they will change something upstream. If Arch wanted to protect its users it could have changed it, but now openssh is already in core and the damage was done. From here it will probably get better, less and less users have pending upgrades, this report already got exposure... I as the original reporter am okay either way.
=========================
* Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative paths
Fixed :)