NetBSD Problem Report #58369
From www@netbsd.org Tue Jun 25 13:28:10 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id CF8151A923A
for <gnats-bugs@gnats.NetBSD.org>; Tue, 25 Jun 2024 13:28:09 +0000 (UTC)
Message-Id: <20240625132738.89CB61A923C@mollari.NetBSD.org>
Date: Tue, 25 Jun 2024 13:27:38 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: sshd blocklistd integration spuriously blocks legitimate users with multiple public keys
X-Send-Pr-Version: www-1.0
>Number: 58369
>Category: bin
>Synopsis: sshd blocklistd integration spuriously blocks legitimate users with multiple public keys
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: christos
>State: needs-pullups
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Jun 25 13:30:01 +0000 2024
>Closed-Date:
>Last-Modified: Sun Aug 11 14:15:01 +0000 2024
>Originator: Taylor R Campbell
>Release: current, 10, 9
>Organization:
The NetBSD FoundConnection timed out
>Environment:
>Description:
sshd blocklistd integration treats every failed key as an authentication failure. This spuriously blocks legitimate users who just have multiple public keys, e.g. with ssh-agent.
>How-To-Repeat:
1. load multiple public keys into ssh-agent
2. try to log into machine running sshd with blocklistd
>Fix:
ding the connection once if authentication fails at the end, not once per key
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: bin-bug-people->christos
Responsible-Changed-By: riastradh@NetBSD.org
Responsible-Changed-When: Sat, 29 Jun 2024 17:16:14 +0000
Responsible-Changed-Why:
christos's bug, christos's fix
https://mail-index.netbsd.org/source-changes/2024/06/25/msg151965.html
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Sat, 29 Jun 2024 17:16:14 +0000
State-Changed-Why:
needs pullup-10, pullup-9
From: Taylor R Campbell <riastradh@NetBSD.org>
To: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Cc:
Subject: Re: bin/58369: sshd blocklistd integration spuriously blocks legitimate users with multiple public keys
Date: Sun, 11 Aug 2024 13:34:20 +0000
For posterity, until this is deployed everywhere, the workaround for
users with multiple public keys is to put a stanza like the following
in ~/.ssh/config, so that ssh(1) will try exactly one public key for
the host in question:
Host cvs.example.com
IdentityFile ~/.ssh/identities/id_ed25519
From: Tobias Nygren <tnn@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/58369: sshd blocklistd integration spuriously blocks
legitimate users with multiple public keys
Date: Sun, 11 Aug 2024 15:58:33 +0200
On Sun, 11 Aug 2024 13:34:20 +0000
Taylor R Campbell <riastradh@NetBSD.org> wrote:
> For posterity, until this is deployed everywhere, the workaround for
> users with multiple public keys is to put a stanza like the following
> in ~/.ssh/config, so that ssh(1) will try exactly one public key for
> the host in question:
>
> Host cvs.example.com
> IdentityFile ~/.ssh/identities/id_ed25519
Worth noting that this can also be applied with agent and key on
hardware token, but you have to use the public key instead and specify
IdentitiesOnly to make it do the right thing.
(This is not really documented in the manual, but it works.)
Host cvs.netbsd.org
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519.pub
From: Christoph Badura <bad@bsd.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/58369: sshd blocklistd integration spuriously blocks
legitimate users with multiple public keys
Date: Sun, 11 Aug 2024 16:11:39 +0200
Actually, IdentitiesOnly is also need, so that other identities from
ssh-agent etc. aren't offered.
i.e.:
Host cvs.example.com
IdentitiesOnly yes
IdentityFile ~/.ssh/identities/id_ed25519
--chris
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.