[Bug 3406] New: RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Mar 15 00:44:20 AEDT 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3406

            Bug ID: 3406
           Summary: RSA key authentication doesn't work with enabled
                    GSSAPIKeyExchange: sign_and_send_pubkey: internal
                    error: initial hostkey not recorded
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Kerberos support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: robert.kulyassa at gmail.com

I've set up an openssh server to use GSSAPI authentication (too), it
all worked last week, I was able to login with password, ssh key or
kerberos ticket, all the 3 worked fine. Today I updated the ssh server
(8.8p1 -> 8.9p1), the kerberos and password auth still work, but when I
try to use key authentication I get this:

sign_and_send_pubkey: internal error: initial hostkey not recorded

If I disable the GSSAPIKeyExchange then it works again (kerberos and
password auth works in both case).



The environment:
client and server side are almost the same, Ubuntu 22.04 client and
server:
openssh version: 8.9p1 (and earlier when it worked: 8.8p1)

sshd_config (almost default, just enabled the GSSAPIAuthentication)

Include /etc/ssh/sshd_config.d/*.conf # <- nothing here
LogLevel INFO
KbdInteractiveAuthentication no
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp  /usr/lib/openssh/sftp-server


ps: May it be related to the "stricter UpdateHostkey signature
verification logic" what I see in the 8.9 release notes?
https://www.openssh.com/txt/release-8.9

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list