3406 – RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded

Bug 3406 - RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded

Summary: RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_...

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Kerberos support (show other bugs)
Version:	8.9p1
Hardware:	Other Linux

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-03-15 00:44 AEDT by qji
Modified:	2022-10-04 21:58 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
sshd_debug3_log_key_auth_failed.txt (23.12 KB, text/plain) 2022-03-15 21:44 AEDT, qji	no flags	Details
ssh_client_debug3_log_key_auth_failed.txt (10.62 KB, text/plain) 2022-03-15 21:51 AEDT, qji	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description qji 2022-03-15 00:44:20 AEDT

I've set up an openssh server to use GSSAPI authentication (too), it all worked last week, I was able to login with password, ssh key or kerberos ticket, all the 3 worked fine. Today I updated the ssh server (8.8p1 -> 8.9p1), the kerberos and password auth still work, but when I try to use key authentication I get this:

sign_and_send_pubkey: internal error: initial hostkey not recorded

If I disable the GSSAPIKeyExchange then it works again (kerberos and password auth works in both case).



The environment:
client and server side are almost the same, Ubuntu 22.04 client and server:
openssh version: 8.9p1 (and earlier when it worked: 8.8p1)

sshd_config (almost default, just enabled the GSSAPIAuthentication)

Include /etc/ssh/sshd_config.d/*.conf # <- nothing here
LogLevel INFO
KbdInteractiveAuthentication no
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp	/usr/lib/openssh/sftp-server


ps: May it be related to the "stricter UpdateHostkey signature verification logic" what I see in the 8.9 release notes? https://www.openssh.com/txt/release-8.9

Comment 1 Damien Miller 2022-03-15 09:56:41 AEDT

Please attach a full debug trace from the server. It's hard to tell what has gone wrong from just the error message.

Also:

> GSSAPIKeyExchange yes

This is a third-party patch to OpenSSH. It's fairly likely that this is causing the problem.

Comment 2 Damien Miller 2022-03-15 17:40:21 AEDT

specifically, the gssapi-kex patch probably needs something like:

> if (ssh->kex->initial_hostkey == NULL)
>         hostbound = 0;

added after the first "if" statement near the start of sshconnect2.c:sign_and_send_pubkey()

Comment 3 qji 2022-03-15 21:44:52 AEDT

Created attachment 3582 [details]
sshd_debug3_log_key_auth_failed.txt

Here is a sshd debug3 log showing the output the same time I ran the "ssh localadmin@myserver" command on my client.

Comment 4 qji 2022-03-15 21:51:02 AEDT

Created attachment 3583 [details]
ssh_client_debug3_log_key_auth_failed.txt

And here is the client log (ssh -vvv) for the same event (but a different session)

Comment 5 Damien Miller 2022-03-16 09:20:54 AEDT

Comment on attachment 3583 [details]
ssh_client_debug3_log_key_auth_failed.txt

thanks - yes, this is the 3rd-party gssapi-kex modification causing this. It needs a tweak like the one I described above

Comment 6 Damien Miller 2022-07-01 14:58:35 AEST

problem not in OpenSSH code but in a third-party patch

Comment 7 Damien Miller 2022-10-04 21:58:57 AEDT

Closing bugs from openssh-9.1 release cycle