Debian Bug report logs - #783606
Host not saved into known_hosts

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Petr Šťastný <petr@stastny.eu>

To: submit@bugs.debian.org

Subject: Host not saved into known_hosts

Date: Tue, 28 Apr 2015 12:34:53 +0200

Package: libpam-sshauth

I'm using this PAM module for sudo authentication, which works perfectly
except one thing - it does not save trusted host to known_hosts and
always asks "Server unknown. Trust?"

/etc/pam.d/sudo content:

auth sufficient pam_sshauth.so debug nostrict host=x.x.x.x port=22

I tried to connect to that SSH server manually (using ssh). I tried it
as normal user (which calls sudo) and as root. Server key is stored in
known_hosts, but libpam-sshauth does not accept it?

man pam_sshauth says:

nostrict
If contacting a host for which we don't have an entry in known_hosts,
ask, via the pam prompts, if you'd like to trust this host, and add it
to your known_hosts file.  The default will be to fail the authentication.

There is no error message in any log saying that it is unable to
read/write known_hosts.

auth log says this:

sudo: pam_sshauth(sudo:auth): Authentication begins.
sudo: pam_sshauth(sudo:auth): Connected to host x.x.x.x
sudo: pam_sshauth(sudo:auth): Server not in known_hosts file.
sudo: pam_sshauth(sudo:auth): Authentication methods supported:
password,keyboard-interactive
sudo: pam_sshauth(sudo:auth): Trying keyboard interactive authentication.
sudo: pam_sshauth(sudo:auth): Authenticated successfully.
sudo: pam_sshauth(sudo:auth): Authentication finished.

Message #10 received at 783606@bugs.debian.org (full text, mbox, reply):

From: Petr Šťastný <petr@stastny.eu>

To: 783606@bugs.debian.org

Subject: Re: Bug#783606: Acknowledgement (Host not saved into known_hosts)

Date: Tue, 05 May 2015 20:18:45 +0200

I just dug more deeply into this problem.

First problem: I found that pam_sshauth reads /etc/ssh/ssh_known_hosts,
which is not mentioned in manual page and I was not able to figure auth
which known_hosts file is used. I had to have a look into source code.

Second problem: pam_sshauth seems not to write anything into
/etc/ssh/ssh_known_hosts although manual page states that "If contacting
a host for which we don't have an entry in known_hosts, ask, via the pam
prompts, if you'd like to trust this host, and add it to your
known_hosts file.  The default will be to fail the authentication." I
interpret this information as it should add the host into
ssh_known_hosts when I say "yes". But there is nothing about saving the
host key in pam_sshauth's source code.

Third and main problem: pam_sshauth does not work with hashed
known_hosts entries, which is default behavior in Debian Jessie (at
least, I don't know the situation in previous releases).

If I create /etc/ssh/ssh_known_hosts manually using the following
command, it works:

ssh-keyscan X.X.X.X > /etc/ssh/ssh_known_hosts

But this (which is Debian Jessie default) does not work (host
name/address output is hashed) - pam_sshauth ignore these entries:

ssh-keyscan -H X.X.X.X > /etc/ssh/ssh_known_hosts

Message #15 received at 783606@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>

To: Petr Šťastný <petr@stastny.eu>, 783606@bugs.debian.org

Subject: Re: [Pkg-ltsp-devel] Bug#783606: Host not saved into known_hosts

Date: Wed, 06 May 2015 12:23:14 +0200

[Petr Šťastný]
> I just dug more deeply into this problem.
>
> First problem: I found that pam_sshauth reads
> /etc/ssh/ssh_known_hosts, which is not mentioned in manual page and I
> was not able to figure auth which known_hosts file is used. I had to
> have a look into source code.

Good to hear that it is reading the global file.

> Second problem: pam_sshauth seems not to write anything into
> /etc/ssh/ssh_known_hosts although manual page states that "If
> contacting a host for which we don't have an entry in known_hosts,
> ask, via the pam prompts, if you'd like to trust this host, and add it
> to your known_hosts file.  The default will be to fail the
> authentication." I interpret this information as it should add the
> host into ssh_known_hosts when I say "yes". But there is nothing about
> saving the host key in pam_sshauth's source code.

Good to see that it is not writing in the global file.  I suspect it
should be made clear in the documentation.  That global file should be
updated "out of band" like you describe here:

> Third and main problem: pam_sshauth does not work with hashed
> known_hosts entries, which is default behavior in Debian Jessie (at
> least, I don't know the situation in previous releases).
>
> If I create /etc/ssh/ssh_known_hosts manually using the following
> command, it works:
>
> ssh-keyscan X.X.X.X > /etc/ssh/ssh_known_hosts
>
> But this (which is Debian Jessie default) does not work (host
> name/address output is hashed) - pam_sshauth ignore these entries:
>
> ssh-keyscan -H X.X.X.X > /etc/ssh/ssh_known_hosts

I guess this is the real missing feature here.  The pam module should
understand the same global known_hosts file as the ssh client.

I would also suggest to change the documentation to document that the
ssh host to use MUST be listed in /etc/ssh/ssh_known_hosts, and remove
the prompt about adding the host key to a file.

-- 
Happy hacking
Petter Reinholdtsen

Message #20 received at 783606@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@debian.org>

To: Petter Reinholdtsen <pere@hungry.com>, Petr Šťastný <petr@stastny.eu>, 783606@bugs.debian.org

Subject: Re: Bug#783606: Host not saved into known_hosts

Date: Thu, 02 Jul 2015 07:45:35 -0700

[Message part 1 (text/plain, inline)]

Control: clone 783606 -1
Control: retitle -1 libpam-sshauth: handle hashed entries in ssh_known_hosts
Control: tags 783606 pending

On 2015-05-06, Petter Reinholdtsen wrote:
> [Petr Šťastný]
>> I just dug more deeply into this problem.
>>
>> First problem: I found that pam_sshauth reads
>> /etc/ssh/ssh_known_hosts, which is not mentioned in manual page and I
>> was not able to figure auth which known_hosts file is used. I had to
>> have a look into source code.
>
> Good to hear that it is reading the global file.
>
>> Second problem: pam_sshauth seems not to write anything into
>> /etc/ssh/ssh_known_hosts although manual page states that "If
>> contacting a host for which we don't have an entry in known_hosts,
>> ask, via the pam prompts, if you'd like to trust this host, and add it
>> to your known_hosts file.  The default will be to fail the
>> authentication." I interpret this information as it should add the
>> host into ssh_known_hosts when I say "yes". But there is nothing about
>> saving the host key in pam_sshauth's source code.
>
> Good to see that it is not writing in the global file.

Agreed.

> I suspect it
> should be made clear in the documentation.  That global file should be
> updated "out of band" like you describe here:

Updated the pam_sshauth manpage in bzr to point to the sshd manpage
which describes how to update ssh_known_hosts.


>> Third and main problem: pam_sshauth does not work with hashed
>> known_hosts entries, which is default behavior in Debian Jessie (at
>> least, I don't know the situation in previous releases).
>>
>> If I create /etc/ssh/ssh_known_hosts manually using the following
>> command, it works:
>>
>> ssh-keyscan X.X.X.X > /etc/ssh/ssh_known_hosts
>>
>> But this (which is Debian Jessie default) does not work (host
>> name/address output is hashed) - pam_sshauth ignore these entries:
>>
>> ssh-keyscan -H X.X.X.X > /etc/ssh/ssh_known_hosts
>
> I guess this is the real missing feature here.  The pam module should
> understand the same global known_hosts file as the ssh client.

Cloned bug for this issue.


> I would also suggest to change the documentation to document that the
> ssh host to use MUST be listed in /etc/ssh/ssh_known_hosts, and remove
> the prompt about adding the host key to a file.

Documented in bzr, will be included in next upload.


live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 783606-close@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@debian.org>

To: 783606-close@bugs.debian.org

Subject: Bug#783606: fixed in libpam-sshauth 0.4.1-1

Date: Thu, 18 Feb 2016 23:20:55 +0000

Source: libpam-sshauth
Source-Version: 0.4.1-1

We believe that the bug you reported is fixed in the latest version of
libpam-sshauth, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783606@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@debian.org> (supplier of updated libpam-sshauth package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 18 Feb 2016 13:54:35 -0800
Source: libpam-sshauth
Binary: libpam-sshauth
Architecture: source
Version: 0.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>
Changed-By: Vagrant Cascadian <vagrant@debian.org>
Description:
 libpam-sshauth - authenticate using an SSH server
Closes: 783606 789106 805879
Changes:
 libpam-sshauth (0.4.1-1) unstable; urgency=medium
 .
   [ Scott Balneaves ]
   * Fixed compiler warnings (LP: #1545393).
 .
   [ Vagrant Cascadian ]
   * debian/control:
     - Add build-depends on zlib1g-dev (Closes: #789106).  Thanks to Chris
       West (Faux) for the Report.
     - Update Standards-Version to 3.9.6, no changes needed.
   * man/pam_sshauth.8: Improve documentation of nostrict option by
     referring to /etc/ssh/ssh_known_hosts and removing incorrect
     information about saving entries. (Closes: #783606).
 .
   [ Benoît Guyard ]
   * Added back support for publickey authentication (Closes: #805879).
Checksums-Sha1:
 643fcfcd6e5b1493f876e108a22251c133636050 1988 libpam-sshauth_0.4.1-1.dsc
 c8787cf1967166b33d655d0a8d5c7088cf0c58a9 21356 libpam-sshauth_0.4.1.orig.tar.xz
 661300c838bc5f5bdb52a411b322dea2b721b08b 2132 libpam-sshauth_0.4.1-1.debian.tar.xz
Checksums-Sha256:
 c08462407e012a37062b08b85bf85d9e0b9a13adc9ff66b0de4a19f47dce930d 1988 libpam-sshauth_0.4.1-1.dsc
 a3965e2f97a75a7cd90b6673076f51d59e132ea508ac7bfc98f2d8665bef0e70 21356 libpam-sshauth_0.4.1.orig.tar.xz
 ab3adb8574d0e74b6f82d4d804b04e2f9b2f84b2da119db0a7231685a48c98a3 2132 libpam-sshauth_0.4.1-1.debian.tar.xz
Files:
 296da6ddb6511b1ba6b55e5e859231e2 1988 admin extra libpam-sshauth_0.4.1-1.dsc
 3e63a8fbb2d996097067852aa72fdc03 21356 admin extra libpam-sshauth_0.4.1.orig.tar.xz
 e32bde33e6b6e31d86f6b0a2ed4725e7 2132 admin extra libpam-sshauth_0.4.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWxj4AAAoJELeLgtSBS5G2Dr0P/RFYtclYr3uxwtSTjyvvozB1
DnI6rgkAY+BeCSBtUvk37jwmxX0X62Q0jm+2dntWJit1uZ0dxhvs4+sH1CU8jc7s
DKz5vHUXTO0z5IH+F97FQpqu8xPNOyFjXt6HNsyFU96GIFVHrhTzkR3vr9eFDR7W
/jvLrFWPNdTGTrEvblCwwPv0E25K3X7v0DT2aLxA9DQHflriPCenWYAIzGJTB067
zADz0SSFYs6Ex9L9oodYoJmrYnhsJYvdg8dGmw/uAOmFxatkdx5WiVIbKo7Rywse
2byfo5W7qln1EvVab/vOExDe8By8TovKKADemxHBirM9wBIi7CVvIWPxo3iuo6mN
mjEUBl1sykSMlPti/tfwbLziPom5lW2bUabXkHjyaITcA+D9rgtVgjh6YGAhuaKQ
uanplFvZGVp+xjUg//KAGBVcVwkn6y7SLJ1C8ZIPFcCcOBteUT5YUQg8UE2Bktsd
M3c+Qwb24wCVrqWiQkNOIUJ95teWqex5gV+TFpXHQU5+3E/12JpmHdczr3qoAIAs
YaKluDyF5ym4S7LduXEtsPWVRgSX14+Eug14r6WteiyAtB1Ekw+vJndX3qzIUMcD
SXI96tL1JrxU7NGpFGZcIHHRZ/mDMQSAjZ3r008nZaOf5H98wURBrhI/Dl+/CAza
HqH+Uw4DUe2OOh5HxeAG
=ywUN
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.