NetBSD Problem Report #58369
From www@netbsd.org Tue Jun 25 13:28:10 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id CF8151A923A
for <gnats-bugs@gnats.NetBSD.org>; Tue, 25 Jun 2024 13:28:09 +0000 (UTC)
Message-Id: <20240625132738.89CB61A923C@mollari.NetBSD.org>
Date: Tue, 25 Jun 2024 13:27:38 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: sshd blocklistd integration spuriously blocks legitimate users with multiple public keys
X-Send-Pr-Version: www-1.0
>Number: 58369
>Category: bin
>Synopsis: sshd blocklistd integration spuriously blocks legitimate users with multiple public keys
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: christos
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Jun 25 13:30:01 +0000 2024
>Closed-Date: Wed Oct 09 15:04:13 +0000 2024
>Last-Modified: Wed Oct 09 15:04:13 +0000 2024
>Originator: Taylor R Campbell
>Release: current, 10, 9
>Organization:
The NetBSD FoundConnection timed out
>Environment:
>Description:
sshd blocklistd integration treats every failed key as an authentication failure. This spuriously blocks legitimate users who just have multiple public keys, e.g. with ssh-agent.
>How-To-Repeat:
1. load multiple public keys into ssh-agent
2. try to log into machine running sshd with blocklistd
>Fix:
ding the connection once if authentication fails at the end, not once per key
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: bin-bug-people->christos
Responsible-Changed-By: riastradh@NetBSD.org
Responsible-Changed-When: Sat, 29 Jun 2024 17:16:14 +0000
Responsible-Changed-Why:
christos's bug, christos's fix
https://mail-index.netbsd.org/source-changes/2024/06/25/msg151965.html
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Sat, 29 Jun 2024 17:16:14 +0000
State-Changed-Why:
needs pullup-10, pullup-9
From: Taylor R Campbell <riastradh@NetBSD.org>
To: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Cc:
Subject: Re: bin/58369: sshd blocklistd integration spuriously blocks legitimate users with multiple public keys
Date: Sun, 11 Aug 2024 13:34:20 +0000
For posterity, until this is deployed everywhere, the workaround for
users with multiple public keys is to put a stanza like the following
in ~/.ssh/config, so that ssh(1) will try exactly one public key for
the host in question:
Host cvs.example.com
IdentityFile ~/.ssh/identities/id_ed25519
From: Tobias Nygren <tnn@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/58369: sshd blocklistd integration spuriously blocks
legitimate users with multiple public keys
Date: Sun, 11 Aug 2024 15:58:33 +0200
On Sun, 11 Aug 2024 13:34:20 +0000
Taylor R Campbell <riastradh@NetBSD.org> wrote:
> For posterity, until this is deployed everywhere, the workaround for
> users with multiple public keys is to put a stanza like the following
> in ~/.ssh/config, so that ssh(1) will try exactly one public key for
> the host in question:
>
> Host cvs.example.com
> IdentityFile ~/.ssh/identities/id_ed25519
Worth noting that this can also be applied with agent and key on
hardware token, but you have to use the public key instead and specify
IdentitiesOnly to make it do the right thing.
(This is not really documented in the manual, but it works.)
Host cvs.netbsd.org
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519.pub
From: Christoph Badura <bad@bsd.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/58369: sshd blocklistd integration spuriously blocks
legitimate users with multiple public keys
Date: Sun, 11 Aug 2024 16:11:39 +0200
Actually, IdentitiesOnly is also need, so that other identities from
ssh-agent etc. aren't offered.
i.e.:
Host cvs.example.com
IdentitiesOnly yes
IdentityFile ~/.ssh/identities/id_ed25519
--chris
From: Rin Okuyama <rokuyama.rk@gmail.com>
To: gnats-bugs@netbsd.org, christos@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org, riastradh@NetBSD.org, campbell+netbsd@mumble.net
Cc:
Subject: Re: bin/58369 (sshd blocklistd integration spuriously blocks
legitimate users with multiple public keys)
Date: Fri, 4 Oct 2024 18:36:55 +0900
Hi,
This problem still occurs for some TNF servers. So,
pullup should be done asap.
Diff applies cleanly both to netbsd-{10,9}, builds, and
works just fine as far as I can see.
However, I cannot reproduce the problem locally; even if
logit()'s are inserted locations of originally-misplaced
pfilter_notify()'s, nothing is logged when login from
client with multiple keys. abort() instead of logit()
does not work also...
For client side, it surely fails for the first key:
````
% ssh -vvvv (target)
...
debug1: Offering public key: /home/rin/.ssh/id_rsa RSA SHA256:(snip) agent
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Offering public key: /home/rin/.ssh/id_ed25519 ED25519
SHA256:(snip) agent
debug1: Server accepts key: /home/rin/.ssh/id_ed25519 ED25519
SHA256:(snip) agent
Authenticated to (target) ([(target)]:22) using "publickey".
...
````
Thoughts? Can I send pullup requests anyway?
Thanks,
rin
On 2024/06/30 2:16, riastradh@NetBSD.org wrote:
> Synopsis: sshd blocklistd integration spuriously blocks legitimate users with multiple public keys
>
> Responsible-Changed-From-To: bin-bug-people->christos
> Responsible-Changed-By: riastradh@NetBSD.org
> Responsible-Changed-When: Sat, 29 Jun 2024 17:16:14 +0000
> Responsible-Changed-Why:
> christos's bug, christos's fix
> https://mail-index.netbsd.org/source-changes/2024/06/25/msg151965.html
>
>
> State-Changed-From-To: open->needs-pullups
> State-Changed-By: riastradh@NetBSD.org
> State-Changed-When: Sat, 29 Jun 2024 17:16:14 +0000
> State-Changed-Why:
> needs pullup-10, pullup-9
>
>
From: Rin Okuyama <rokuyama.rk@gmail.com>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/58369 sshd blocklistd integration spuriously blocks
legitimate users with multiple public keys
Date: Tue, 8 Oct 2024 14:54:18 +0900
-------- Forwarded Message --------
Subject: CVS commit: src/crypto/external/bsd/openssh/dist
Date: Tue, 25 Jun 2024 12:58:24 -0400
From: Christos Zoulas <christos@netbsd.org>
Reply-To: source-changes-d@NetBSD.org
To: source-changes-full@NetBSD.org
Module Name: src
Committed By: christos
Date: Tue Jun 25 16:58:24 UTC 2024
Modified Files:
src/crypto/external/bsd/openssh/dist: auth2.c monitor.c
Log Message:
Don't call pfilter_notify for each authentication attempt, only call it
once we failed to authenticate.
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 src/crypto/external/bsd/openssh/dist/auth2.c
cvs rdiff -u -r1.43 -r1.44 src/crypto/external/bsd/openssh/dist/monitor.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: needs-pullups->pending-pullups
State-Changed-By: rin@NetBSD.org
State-Changed-When: Tue, 08 Oct 2024 05:56:13 +0000
State-Changed-Why:
[pullup-10 #931], [pullup-9 #1893]
From: "Rin Okuyama" <rin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58369 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Wed, 9 Oct 2024 01:49:20 +0000
Module Name: src
Committed By: rin
Date: Wed Oct 9 01:49:20 UTC 2024
Modified Files:
src/crypto/external/bsd/openssh/dist: auth.c auth2.c
Log Message:
sshd: Finally fix spurious blocklistd activation (PR bin/58369)
Drop one more pfilter_notify() call from userauth_finish(),
for single failure in authentication attempt.
This happens for users with multiple public keys; e.g., both
rsa and ed25519 keys are registered into ssh-agent(1), while
only the latter is in remote authorized_keys.
Instead, it is called from auth_maxtries_exceeded(), when
authentication process is actually failed. This function is
called also from input_userauth_request(). But I guess this
cannot happen frequently; this path is taken with >= 1024
failed attempts, although MaxAuthTries is 6 by default...
To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 src/crypto/external/bsd/openssh/dist/auth.c
cvs rdiff -u -r1.31 -r1.32 src/crypto/external/bsd/openssh/dist/auth2.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58369 CVS commit: [netbsd-10] src/crypto/external/bsd/openssh/dist
Date: Wed, 9 Oct 2024 10:21:44 +0000
Module Name: src
Committed By: martin
Date: Wed Oct 9 10:21:44 UTC 2024
Modified Files:
src/crypto/external/bsd/openssh/dist [netbsd-10]: auth.c auth2.c
Log Message:
Additionaly pull up following revision(s) (requested by rin in ticket #931):
crypto/external/bsd/openssh/dist/auth.c: revision 1.37
crypto/external/bsd/openssh/dist/auth2.c: revision 1.32
sshd: Finally fix spurious blocklistd activation (PR bin/58369)
Drop one more pfilter_notify() call from userauth_finish(),
for single failure in authentication attempt.
This happens for users with multiple public keys; e.g., both
rsa and ed25519 keys are registered into ssh-agent(1), while
only the latter is in remote authorized_keys.
Instead, it is called from auth_maxtries_exceeded(), when
authentication process is actually failed. This function is
called also from input_userauth_request(). But I guess this
cannot happen frequently; this path is taken with >= 1024
failed attempts, although MaxAuthTries is 6 by default...
To generate a diff of this commit:
cvs rdiff -u -r1.33.2.1 -r1.33.2.2 \
src/crypto/external/bsd/openssh/dist/auth.c
cvs rdiff -u -r1.26.2.4 -r1.26.2.5 \
src/crypto/external/bsd/openssh/dist/auth2.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58369 CVS commit: [netbsd-9] src/crypto/external/bsd/openssh/dist
Date: Wed, 9 Oct 2024 10:23:40 +0000
Module Name: src
Committed By: martin
Date: Wed Oct 9 10:23:40 UTC 2024
Modified Files:
src/crypto/external/bsd/openssh/dist [netbsd-9]: auth.c auth2.c
Log Message:
Additionaly pull up following revision(s) (requested by rin in ticket #1893):
crypto/external/bsd/openssh/dist/auth.c: revision 1.37
crypto/external/bsd/openssh/dist/auth2.c: revision 1.32
sshd: Finally fix spurious blocklistd activation (PR bin/58369)
Drop one more pfilter_notify() call from userauth_finish(),
for single failure in authentication attempt.
This happens for users with multiple public keys; e.g., both
rsa and ed25519 keys are registered into ssh-agent(1), while
only the latter is in remote authorized_keys.
Instead, it is called from auth_maxtries_exceeded(), when
authentication process is actually failed. This function is
called also from input_userauth_request(). But I guess this
cannot happen frequently; this path is taken with >= 1024
failed attempts, although MaxAuthTries is 6 by default...
To generate a diff of this commit:
cvs rdiff -u -r1.24.2.1 -r1.24.2.2 \
src/crypto/external/bsd/openssh/dist/auth.c
cvs rdiff -u -r1.19.2.2 -r1.19.2.3 \
src/crypto/external/bsd/openssh/dist/auth2.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Wed, 09 Oct 2024 15:04:13 +0000
State-Changed-Why:
fixed in HEAD, pulled up to 10 and 9
pullup-9 #1893 https://releng.netbsd.org/cgi-bin/req-9.cgi?show=1893
pullup-10 #931 https://releng.netbsd.org/cgi-bin/req-10.cgi?show=931
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home