Bug 2095 - ssh client not respecting IdentitiesOnly=yes option
Summary: ssh client not respecting IdentitiesOnly=yes option
Status: CLOSED WORKSFORME
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 6.2p1
Hardware: All All
: P5 trivial
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-01 02:50 AEST by christian.boitel
Modified: 2015-08-11 23:05 AEST (History)
1 user (show)

See Also:

Attachments
Fixes pubkey_create function to correctly take in account the identities_only option (3.58 KB, application/octet-stream)
2013-05-01 02:50 AEST, christian.boitel 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description christian.boitel 2013-05-01 02:50:48 AEST 
Created attachment 2253 [details]
Fixes pubkey_create function to correctly take in account the identities_only option

Hi all,

One of our user reported us a somewhat strange problem described below:
1/ Try to use ssh client to connect to a remote machine using an invalid identity file: as expected it is rejected.

Example: 
ssh -o BatchMode=yes -o IdentitiesOnly=yes -i /etc/hosts remote
Permission denied (publickey,password,keyboard-interactive).
2/ Use your public (not private) key instead of a valid identity file: it works ! Yes, you are dreaming: it looks like the user was able to connect using a public key.

Example:
ssh -o BatchMode=yes -o IdentitiesOnly=yes -i ~/.ssh/id_rsa.pub remote
Last login: Tue Apr 30 18:06:13 2013 on /dev/pts/16 from a.b.c.d

We tested on multiple OS (AIX, Linux, Windows/cygwin) and all ssh client (of different versions) reported the same behaviour. Downloaded the latest 6.2p1, recompiled it and found the latest version still exhibited this issue.

Further investigations finally have shown that user was authenticated through its ssh agent keys even though it was requested not to use them (IdentitiesOnly option). Unsetting SSH_AUTH prior to calling ssh would make it to prove it.

Since i had downloaded and recompiled the 6.2p1 code, i looked at the source code and found the issue was likely in pubkey_prepare inside sshconnect2.c in which identities_only option is tested a bit too late. I provided a unified diff as a suggested patch to this issue.

Detail about the problem/patch for pubkey_prepare function:
- at one point, pubkey_prepare checks if an agent is available 
  and loops through agent provided keys
- foreach agent keys, it tests them against config file provided keys: 
  * if found, agent key is directly added to the preferred agent key
    list and will therefore be used
  * if not found, agent key is added to an agent key list only if 
    identities_only option isn't set.
- pb in our case is that config file vs agent keys test works
  and agent keys are added in preferred key list (and later used) 
  before we get to test identities_only option 

My patch simply tests as early as possible the identities_only option and prevents from looping though agent keys that we should never be using if option is set (as said in the man page extract below).

Extract from ssh_config man page
    IdentitiesOnly
    Specifies that ssh(1) should only use the authentication identity
    files configured in the ssh_config files, even if ssh-agent(1) or
    a PKCS11Provider offers more identities.  The argument to this
    keyword must be “yes” or “no”.  This option is intended for situ‐
    ations where ssh-agent offers many different identities.  The
    default is “no”.

Hope it helps !
Comment 1 Damien Miller 2013-05-01 08:28:41 AEST 
IdentitiesOnly doesn't disable the agent, it's intended to allow _selection_ of which keys from an agent are used.

Using the public key to select which agent key is offered is perfectly valid; indeed it is exactly what this option is intended for.

If you don't want to use the agent at all, then unset SSH_AUTH_SOCK.
Comment 2 Damien Miller 2015-08-11 23:05:48 AEST 
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1