NetBSD Problem Report #58369

From www@netbsd.org  Tue Jun 25 13:28:10 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits)
	 client-signature RSA-PSS (2048 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id CF8151A923A
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 25 Jun 2024 13:28:09 +0000 (UTC)
Message-Id: <20240625132738.89CB61A923C@mollari.NetBSD.org>
Date: Tue, 25 Jun 2024 13:27:38 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: sshd blocklistd integration spuriously blocks legitimate users with multiple public keys
X-Send-Pr-Version: www-1.0

>Number:         58369
>Category:       bin
>Synopsis:       sshd blocklistd integration spuriously blocks legitimate users with multiple public keys
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    christos
>State:          needs-pullups
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 25 13:30:01 +0000 2024
>Closed-Date:    
>Last-Modified:  Sun Aug 11 14:15:01 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10, 9
>Organization:
The NetBSD FoundConnection timed out
>Environment:
>Description:
sshd blocklistd integration treats every failed key as an authentication failure.  This spuriously blocks legitimate users who just have multiple public keys, e.g. with ssh-agent.
>How-To-Repeat:
1. load multiple public keys into ssh-agent
2. try to log into machine running sshd with blocklistd
>Fix:
ding the connection once if authentication fails at the end, not once per key

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: bin-bug-people->christos
Responsible-Changed-By: riastradh@NetBSD.org
Responsible-Changed-When: Sat, 29 Jun 2024 17:16:14 +0000
Responsible-Changed-Why:
christos's bug, christos's fix
https://mail-index.netbsd.org/source-changes/2024/06/25/msg151965.html


State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Sat, 29 Jun 2024 17:16:14 +0000
State-Changed-Why:
needs pullup-10, pullup-9


From: Taylor R Campbell <riastradh@NetBSD.org>
To: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Cc: 
Subject: Re: bin/58369: sshd blocklistd integration spuriously blocks legitimate users with multiple public keys
Date: Sun, 11 Aug 2024 13:34:20 +0000

 For posterity, until this is deployed everywhere, the workaround for
 users with multiple public keys is to put a stanza like the following
 in ~/.ssh/config, so that ssh(1) will try exactly one public key for
 the host in question:

 Host cvs.example.com
     IdentityFile ~/.ssh/identities/id_ed25519

From: Tobias Nygren <tnn@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/58369: sshd blocklistd integration spuriously blocks
 legitimate users with multiple public keys
Date: Sun, 11 Aug 2024 15:58:33 +0200

 On Sun, 11 Aug 2024 13:34:20 +0000
 Taylor R Campbell <riastradh@NetBSD.org> wrote:

 > For posterity, until this is deployed everywhere, the workaround for
 > users with multiple public keys is to put a stanza like the following
 > in ~/.ssh/config, so that ssh(1) will try exactly one public key for
 > the host in question:
 > 
 > Host cvs.example.com
 >     IdentityFile ~/.ssh/identities/id_ed25519

 Worth noting that this can also be applied with agent and key on
 hardware token, but you have to use the public key instead and specify
 IdentitiesOnly to make it do the right thing.
 (This is not really documented in the manual, but it works.)

 Host cvs.netbsd.org
 	IdentitiesOnly yes
 	IdentityFile ~/.ssh/id_ed25519.pub

From: Christoph Badura <bad@bsd.de>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/58369: sshd blocklistd integration spuriously blocks
 legitimate users with multiple public keys
Date: Sun, 11 Aug 2024 16:11:39 +0200

 Actually, IdentitiesOnly is also need, so that other identities from
 ssh-agent etc. aren't offered.

 i.e.:

 Host cvs.example.com
     IdentitiesOnly yes
     IdentityFile ~/.ssh/identities/id_ed25519

 --chris

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.