Bug 2229 - ssh adds and offers private key twice in certain constellations
Summary: ssh adds and offers private key twice in certain constellations
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 6.6p1
Hardware: Other Linux
: P5 minor
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_6_7
  Show dependency treegraph
 
Reported: 2014-04-16 22:04 AEST by Moritz Bunkus
Modified: 2023-01-13 13:38 AEDT (History)
2 users (show)

See Also:

Attachments
avoid adding identity files twice (979 bytes, patch)
2014-04-17 09:32 AEST, Damien Miller 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Bunkus 2014-04-16 22:04:40 AEST 
My ssh offers one and the same private key twice if I connect to a host which has a HostName entry in ssh's config. Using this stripped-down configuration:

Host *
  IdentityFile ~/.ssh/key-mbunkus
  IdentitiesOnly yes

Host renegade renegade.bs.linet-services.de
  User grpadmin
  HostName renegade.bs.linet-services.de

Then I run ssh:

[0 mbunkus@chai-latte ~] ssh -F ~/.ssh/conf2 -a -v renegade
OpenSSH_6.6, OpenSSL 1.0.1g 7 Apr 2014
debug1: Reading configuration data /home/mbunkus/.ssh/conf2
debug1: /home/mbunkus/.ssh/conf2 line 1: Applying options for *
debug1: /home/mbunkus/.ssh/conf2 line 5: Applying options for renegade
debug1: Hostname has changed; re-reading configuration
debug1: Reading configuration data /home/mbunkus/.ssh/conf2
debug1: /home/mbunkus/.ssh/conf2 line 1: Applying options for *
debug1: /home/mbunkus/.ssh/conf2 line 5: Applying options for renegade.bs.linet-services.de
debug1: Connecting to renegade.bs.linet-services.de [10.199.93.23] port 22.
debug1: Connection established.
debug1: identity file /home/mbunkus/.ssh/key-mbunkus type 2
debug1: identity file /home/mbunkus/.ssh/key-mbunkus-cert type -1
debug1: identity file /home/mbunkus/.ssh/key-mbunkus type 2
debug1: identity file /home/mbunkus/.ssh/key-mbunkus-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.0 NetBSD_Secure_Shell-20080403+-hpn13v1
debug1: match: OpenSSH_5.0 NetBSD_Secure_Shell-20080403+-hpn13v1 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA bd:3c:29:b5:18:53:e3:c0:d7:b1:a5:4f:bb:eb:d7:db
debug1: Host 'renegade.bs.linet-services.de' is known and matches the RSA host key.
debug1: Found key in /home/mbunkus/.ssh/known_hosts:961
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/mbunkus/.ssh/key-mbunkus
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering DSA public key: /home/mbunkus/.ssh/key-mbunkus
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
grpadmin@renegade.bs.linet-services.de's password:

In my real-life configuration I actually have three identities listed. If each is used twice then this easily exhausts the number of tries, and I cannot try password authentication if the server only allows six tries.

This does not happen if the perceived/final host name equals the one given on the command line. Meaning "ssh -F ~/.ssh/conf2 -a -v renegade.bs.linet-services.de" is OK and looks like this:

[0 mbunkus@chai-latte ~] ssh -F ~/.ssh/conf2 -a -v renegade.bs.linet-services.de
OpenSSH_6.6, OpenSSL 1.0.1g 7 Apr 2014
debug1: Reading configuration data /home/mbunkus/.ssh/conf2
debug1: /home/mbunkus/.ssh/conf2 line 1: Applying options for *
debug1: /home/mbunkus/.ssh/conf2 line 5: Applying options for renegade.bs.linet-services.de
debug1: Connecting to renegade.bs.linet-services.de [10.199.93.23] port 22.
debug1: Connection established.
debug1: identity file /home/mbunkus/.ssh/key-mbunkus type 2
debug1: identity file /home/mbunkus/.ssh/key-mbunkus-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.0 NetBSD_Secure_Shell-20080403+-hpn13v1
debug1: match: OpenSSH_5.0 NetBSD_Secure_Shell-20080403+-hpn13v1 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA bd:3c:29:b5:18:53:e3:c0:d7:b1:a5:4f:bb:eb:d7:db
debug1: Host 'renegade.bs.linet-services.de' is known and matches the RSA host key.
debug1: Found key in /home/mbunkus/.ssh/known_hosts:961
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/mbunkus/.ssh/key-mbunkus
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
grpadmin@renegade.bs.linet-services.de's password:

Note that the SSH agent is not in use: I've explicitly "unset SSH_AGENT_PID" before doing these tests.
Comment 1 Moritz Bunkus 2014-04-16 22:29:49 AEST 
…and I meant SSH_AUTH_SOCK instead of SSH_AGENT_PID. Sorry for that.
Comment 2 Damien Miller 2014-04-17 09:32:52 AEST 
Created attachment 2426 [details]
avoid adding identity files twice

This is fallout from the configuration reparsing changes in 6.6p1.

We should probably avoid adding identities that are already in the list
Comment 3 Damien Miller 2014-04-25 10:26:41 AEST 
Committed; will be in OpenSSH-6.7
Comment 4 Damien Miller 2014-10-08 08:00:15 AEDT 
Close all bugs left open from 6.6 and 6.7 releases.