Bug? between OpenSSH 6.4p1 and 6.5p1(also 6.6p1)
Iain Morgan
imorgan at nas.nasa.gov
Sat Mar 22 11:53:15 EST 2014
On Fri, Mar 21, 2014 at 10:15:56 -0600, Pieter Bowman wrote:
> The problem I am seeing was introduced between 6.4p1 and 6.5p1 (and
> still exists in 6.6p1). With HostbasedAuthentication/EnableSSHKeysign
> turned on, I am seeing one of two sets of messages:
>
> no matching hostkey found
> ssh_keysign: no reply
> key_sign failed
>
> and
>
> not a valid request
> ssh_keysign: no reply
> key_sign failed
>
>
> Then in either case two password prompts:
>
> bowman at HOST.math.utah.edu's password:
> Permission denied, please try again.
> bowman at HOST.math.utah.edu's password:
>
>
> I've used strace and dtrace to watch what files are opened and
> executables run. All the correct key files are accessed and the
> correct version of ssh-keysign used. Even the ssh-keysign from 6.5p1
> or 6.6p1 works correctly with ssh from 6.4p1.
>
The ssh -vvv output might be of a little interest. I'm particularly
curious as to whether you get the messages that you quoted with each
keysign request or just the one for the ed25519 key.
The behavour sounds like there is a version mismatch which is causing it
to choke on the ed25519 key. You indicate that the correct ssh-keysign
is being invoked, or at least the right path is used. Try running
strings on the executable and grep for ed25519.
Were yyou deliberately failing the two password prompts, or is that
anouther aspect of the problem?
--
Iain Morgan
More information about the openssh-unix-dev
mailing list