I've set up an openssh server to use GSSAPI authentication (too), it all worked last week, I was able to login with password, ssh key or kerberos ticket, all the 3 worked fine. Today I updated the ssh server (8.8p1 -> 8.9p1), the kerberos and password auth still work, but when I try to use key authentication I get this: sign_and_send_pubkey: internal error: initial hostkey not recorded If I disable the GSSAPIKeyExchange then it works again (kerberos and password auth works in both case). The environment: client and server side are almost the same, Ubuntu 22.04 client and server: openssh version: 8.9p1 (and earlier when it worked: 8.8p1) sshd_config (almost default, just enabled the GSSAPIAuthentication) Include /etc/ssh/sshd_config.d/*.conf # <- nothing here LogLevel INFO KbdInteractiveAuthentication no GSSAPIAuthentication yes GSSAPIKeyExchange yes UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server ps: May it be related to the "stricter UpdateHostkey signature verification logic" what I see in the 8.9 release notes? https://www.openssh.com/txt/release-8.9
Please attach a full debug trace from the server. It's hard to tell what has gone wrong from just the error message. Also: > GSSAPIKeyExchange yes This is a third-party patch to OpenSSH. It's fairly likely that this is causing the problem.
specifically, the gssapi-kex patch probably needs something like: > if (ssh->kex->initial_hostkey == NULL) > hostbound = 0; added after the first "if" statement near the start of sshconnect2.c:sign_and_send_pubkey()
Created attachment 3582 [details] sshd_debug3_log_key_auth_failed.txt Here is a sshd debug3 log showing the output the same time I ran the "ssh localadmin@myserver" command on my client.
Created attachment 3583 [details] ssh_client_debug3_log_key_auth_failed.txt And here is the client log (ssh -vvv) for the same event (but a different session)
Comment on attachment 3583 [details] ssh_client_debug3_log_key_auth_failed.txt thanks - yes, this is the 3rd-party gssapi-kex modification causing this. It needs a tweak like the one I described above
problem not in OpenSSH code but in a third-party patch
Closing bugs from openssh-9.1 release cycle