Bug 3406

Summary:

RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded

Product:

Portable OpenSSH

Reporter:

qji <robert.kulyassa>

Component:

Kerberos support

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED WORKSFORME

Severity:

normal

CC:

djm

Priority:

Version:

8.9p1

Hardware:

Other

OS:

Linux

Attachments:

Description	Flags
sshd_debug3_log_key_auth_failed.txt	none
ssh_client_debug3_log_key_auth_failed.txt	none

Description qji 2022-03-15 00:44:20 AEDT

I've set up an openssh server to use GSSAPI authentication (too), it all worked last week, I was able to login with password, ssh key or kerberos ticket, all the 3 worked fine. Today I updated the ssh server (8.8p1 -> 8.9p1), the kerberos and password auth still work, but when I try to use key authentication I get this:

sign_and_send_pubkey: internal error: initial hostkey not recorded

If I disable the GSSAPIKeyExchange then it works again (kerberos and password auth works in both case).



The environment:
client and server side are almost the same, Ubuntu 22.04 client and server:
openssh version: 8.9p1 (and earlier when it worked: 8.8p1)

sshd_config (almost default, just enabled the GSSAPIAuthentication)

Include /etc/ssh/sshd_config.d/*.conf # <- nothing here
LogLevel INFO
KbdInteractiveAuthentication no
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp	/usr/lib/openssh/sftp-server


ps: May it be related to the "stricter UpdateHostkey signature verification logic" what I see in the 8.9 release notes? https://www.openssh.com/txt/release-8.9

Comment 1 Damien Miller 2022-03-15 09:56:41 AEDT

Please attach a full debug trace from the server. It's hard to tell what has gone wrong from just the error message.

Also:

> GSSAPIKeyExchange yes

This is a third-party patch to OpenSSH. It's fairly likely that this is causing the problem.

Comment 2 Damien Miller 2022-03-15 17:40:21 AEDT

specifically, the gssapi-kex patch probably needs something like:

> if (ssh->kex->initial_hostkey == NULL)
>         hostbound = 0;

added after the first "if" statement near the start of sshconnect2.c:sign_and_send_pubkey()

Comment 3 qji 2022-03-15 21:44:52 AEDT

Created attachment 3582 [details]
sshd_debug3_log_key_auth_failed.txt

Here is a sshd debug3 log showing the output the same time I ran the "ssh localadmin@myserver" command on my client.

Comment 4 qji 2022-03-15 21:51:02 AEDT

Created attachment 3583 [details]
ssh_client_debug3_log_key_auth_failed.txt

And here is the client log (ssh -vvv) for the same event (but a different session)

Comment 5 Damien Miller 2022-03-16 09:20:54 AEDT

Comment on attachment 3583 [details]
ssh_client_debug3_log_key_auth_failed.txt

thanks - yes, this is the 3rd-party gssapi-kex modification causing this. It needs a tweak like the one I described above

Comment 6 Damien Miller 2022-07-01 14:58:35 AEST

problem not in OpenSSH code but in a third-party patch

Comment 7 Damien Miller 2022-10-04 21:58:57 AEDT

Closing bugs from openssh-9.1 release cycle