Debian Bug report logs - #790874
libpam-sshauth: handle hashed entries in ssh_known_hosts

Package: libpam-sshauth; Maintainer for libpam-sshauth is (unknown);

Reported by: Petr Šťastný <petr@stastny.eu>

Date: Tue, 28 Apr 2015 10:39:02 UTC

Severity: normal

Fixed in version 0.4.1-2+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>:
Bug#783606; Package libpam-sshauth. (Tue, 28 Apr 2015 10:39:07 GMT) (full text, mbox, link).

Acknowledgement sent to Petr Šťastný <petr@stastny.eu>:
New Bug report received and forwarded. Copy sent to LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>. (Tue, 28 Apr 2015 10:39:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: libpam-sshauth

I'm using this PAM module for sudo authentication, which works perfectly
except one thing - it does not save trusted host to known_hosts and
always asks "Server unknown. Trust?"

/etc/pam.d/sudo content:

auth sufficient pam_sshauth.so debug nostrict host=x.x.x.x port=22

I tried to connect to that SSH server manually (using ssh). I tried it
as normal user (which calls sudo) and as root. Server key is stored in
known_hosts, but libpam-sshauth does not accept it?

man pam_sshauth says:

nostrict
If contacting a host for which we don't have an entry in known_hosts,
ask, via the pam prompts, if you'd like to trust this host, and add it
to your known_hosts file.  The default will be to fail the authentication.

There is no error message in any log saying that it is unable to
read/write known_hosts.

auth log says this:

sudo: pam_sshauth(sudo:auth): Authentication begins.
sudo: pam_sshauth(sudo:auth): Connected to host x.x.x.x
sudo: pam_sshauth(sudo:auth): Server not in known_hosts file.
sudo: pam_sshauth(sudo:auth): Authentication methods supported:
password,keyboard-interactive
sudo: pam_sshauth(sudo:auth): Trying keyboard interactive authentication.
sudo: pam_sshauth(sudo:auth): Authenticated successfully.
sudo: pam_sshauth(sudo:auth): Authentication finished.

Information forwarded to debian-bugs-dist@lists.debian.org, LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>:
Bug#783606; Package libpam-sshauth. (Tue, 05 May 2015 18:30:04 GMT) (full text, mbox, link).

Acknowledgement sent to Petr Šťastný <petr@stastny.eu>:
Extra info received and forwarded to list. Copy sent to LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>. (Tue, 05 May 2015 18:30:04 GMT) (full text, mbox, link).

Message #10 received at 783606@bugs.debian.org (full text, mbox, reply):

I just dug more deeply into this problem.

First problem: I found that pam_sshauth reads /etc/ssh/ssh_known_hosts,
which is not mentioned in manual page and I was not able to figure auth
which known_hosts file is used. I had to have a look into source code.

Second problem: pam_sshauth seems not to write anything into
/etc/ssh/ssh_known_hosts although manual page states that "If contacting
a host for which we don't have an entry in known_hosts, ask, via the pam
prompts, if you'd like to trust this host, and add it to your
known_hosts file.  The default will be to fail the authentication." I
interpret this information as it should add the host into
ssh_known_hosts when I say "yes". But there is nothing about saving the
host key in pam_sshauth's source code.

Third and main problem: pam_sshauth does not work with hashed
known_hosts entries, which is default behavior in Debian Jessie (at
least, I don't know the situation in previous releases).

If I create /etc/ssh/ssh_known_hosts manually using the following
command, it works:

ssh-keyscan X.X.X.X > /etc/ssh/ssh_known_hosts

But this (which is Debian Jessie default) does not work (host
name/address output is hashed) - pam_sshauth ignore these entries:

ssh-keyscan -H X.X.X.X > /etc/ssh/ssh_known_hosts

Information forwarded to debian-bugs-dist@lists.debian.org, LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>:
Bug#783606; Package libpam-sshauth. (Wed, 06 May 2015 10:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>. (Wed, 06 May 2015 10:27:05 GMT) (full text, mbox, link).

Message #15 received at 783606@bugs.debian.org (full text, mbox, reply):

[Petr Šťastný]
> I just dug more deeply into this problem.
>
> First problem: I found that pam_sshauth reads
> /etc/ssh/ssh_known_hosts, which is not mentioned in manual page and I
> was not able to figure auth which known_hosts file is used. I had to
> have a look into source code.

Good to hear that it is reading the global file.

> Second problem: pam_sshauth seems not to write anything into
> /etc/ssh/ssh_known_hosts although manual page states that "If
> contacting a host for which we don't have an entry in known_hosts,
> ask, via the pam prompts, if you'd like to trust this host, and add it
> to your known_hosts file.  The default will be to fail the
> authentication." I interpret this information as it should add the
> host into ssh_known_hosts when I say "yes". But there is nothing about
> saving the host key in pam_sshauth's source code.

Good to see that it is not writing in the global file.  I suspect it
should be made clear in the documentation.  That global file should be
updated "out of band" like you describe here:

> Third and main problem: pam_sshauth does not work with hashed
> known_hosts entries, which is default behavior in Debian Jessie (at
> least, I don't know the situation in previous releases).
>
> If I create /etc/ssh/ssh_known_hosts manually using the following
> command, it works:
>
> ssh-keyscan X.X.X.X > /etc/ssh/ssh_known_hosts
>
> But this (which is Debian Jessie default) does not work (host
> name/address output is hashed) - pam_sshauth ignore these entries:
>
> ssh-keyscan -H X.X.X.X > /etc/ssh/ssh_known_hosts

I guess this is the real missing feature here.  The pam module should
understand the same global known_hosts file as the ssh client.

I would also suggest to change the documentation to document that the
ssh host to use MUST be listed in /etc/ssh/ssh_known_hosts, and remove
the prompt about adding the host key to a file.

-- 
Happy hacking
Petter Reinholdtsen

Information forwarded to debian-bugs-dist@lists.debian.org, LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>:
Bug#783606; Package libpam-sshauth. (Thu, 02 Jul 2015 14:48:08 GMT) (full text, mbox, link).

Acknowledgement sent to Vagrant Cascadian <vagrant@debian.org>:
Extra info received and forwarded to list. Copy sent to LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>. (Thu, 02 Jul 2015 14:48:08 GMT) (full text, mbox, link).

Message #20 received at 783606@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Control: clone 783606 -1
Control: retitle -1 libpam-sshauth: handle hashed entries in ssh_known_hosts
Control: tags 783606 pending

On 2015-05-06, Petter Reinholdtsen wrote:
> [Petr Šťastný]
>> I just dug more deeply into this problem.
>>
>> First problem: I found that pam_sshauth reads
>> /etc/ssh/ssh_known_hosts, which is not mentioned in manual page and I
>> was not able to figure auth which known_hosts file is used. I had to
>> have a look into source code.
>
> Good to hear that it is reading the global file.
>
>> Second problem: pam_sshauth seems not to write anything into
>> /etc/ssh/ssh_known_hosts although manual page states that "If
>> contacting a host for which we don't have an entry in known_hosts,
>> ask, via the pam prompts, if you'd like to trust this host, and add it
>> to your known_hosts file.  The default will be to fail the
>> authentication." I interpret this information as it should add the
>> host into ssh_known_hosts when I say "yes". But there is nothing about
>> saving the host key in pam_sshauth's source code.
>
> Good to see that it is not writing in the global file.

Agreed.

> I suspect it
> should be made clear in the documentation.  That global file should be
> updated "out of band" like you describe here:

Updated the pam_sshauth manpage in bzr to point to the sshd manpage
which describes how to update ssh_known_hosts.


>> Third and main problem: pam_sshauth does not work with hashed
>> known_hosts entries, which is default behavior in Debian Jessie (at
>> least, I don't know the situation in previous releases).
>>
>> If I create /etc/ssh/ssh_known_hosts manually using the following
>> command, it works:
>>
>> ssh-keyscan X.X.X.X > /etc/ssh/ssh_known_hosts
>>
>> But this (which is Debian Jessie default) does not work (host
>> name/address output is hashed) - pam_sshauth ignore these entries:
>>
>> ssh-keyscan -H X.X.X.X > /etc/ssh/ssh_known_hosts
>
> I guess this is the real missing feature here.  The pam module should
> understand the same global known_hosts file as the ssh client.

Cloned bug for this issue.


> I would also suggest to change the documentation to document that the
> ssh host to use MUST be listed in /etc/ssh/ssh_known_hosts, and remove
> the prompt about adding the host key to a file.

Documented in bzr, will be included in next upload.


live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]

Bug 783606 cloned as bug 790874 Request was from Vagrant Cascadian <vagrant@debian.org> to 783606-submit@bugs.debian.org. (Thu, 02 Jul 2015 14:48:08 GMT) (full text, mbox, link).

Changed Bug title to 'libpam-sshauth: handle hashed entries in ssh_known_hosts' from 'Host not saved into known_hosts' Request was from Vagrant Cascadian <vagrant@debian.org> to 783606-submit@bugs.debian.org. (Thu, 02 Jul 2015 14:48:09 GMT) (full text, mbox, link).

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Sat, 26 Oct 2019 07:06:38 GMT) (full text, mbox, link).

Notification sent to Petr Šťastný <petr@stastny.eu>:
Bug acknowledged by developer. (Sat, 26 Oct 2019 07:06:38 GMT) (full text, mbox, link).

Message #29 received at 790874-done@bugs.debian.org (full text, mbox, reply):

Version: 0.4.1-2+rm

Dear submitter,

as the package libpam-sshauth has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/942806

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 23 Nov 2019 07:31:42 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jul 1 13:05:58 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #790874 libpam-sshauth: handle hashed entries in ssh_known_hosts

Debian Bug report logs - #790874
libpam-sshauth: handle hashed entries in ssh_known_hosts