Package: openssh-server Version: 1:8.4p1-5+deb11u3 Severity: important X-Debbugs-Cc: vdanj...@debian.org
Hi, In an kerberos environment, I'm gradually migrating machines from bullseye to bookworm. Doing this, I observe a regression concerning openssh-server. Openssh is configurated to allow kerberos authentification. sshd_config has the following lines: GSSAPIAuthentication yes GSSAPIKeyExchange yes GSSAPIStoreCredentialsOnRekey yes and ssh_config has the following lines: Host * GSSAPIDelegateCredentials yes GSSAPIKeyExchange yes GSSAPITrustDNS yes When trying to log from a kerberos account into a remote local (non kerberos) account with a public key, it works on bulleyes machines, but on bookworm machines, I got the following error: $ ssh -v -l remote-local-login bookworm-machine [...] OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/local.conf debug1: /etc/ssh/ssh_config.d/local.conf line 6: Applying options for * debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to bookworm-machine.domain.fr [10.0.0.3] port 22. debug1: Connection established. debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_rsa type -1 debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_rsa-cert type -1 debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ecdsa type -1 debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ed25519 type -1 debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ed25519-cert type -1 debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ed25519_sk type -1 debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_xmss type -1 debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_xmss-cert type -1 debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_dsa type -1 debug1: identity file /home/domain.fr/kerberos-user/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2 debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1 Debian-2+deb12u2 debug1: compat_banner: match: OpenSSH_9.2p1 Debian-2+deb12u2 pat OpenSSH* compat 0x04000000 debug1: Authenticating to bookworm-machine.domain.fr:22 as 'remote-local-login' debug1: load_hostkeys: fopen /home/domain.fr/kerberos-user/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Offering GSSAPI proposal: gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group16-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp256-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha256-eipGX3TCiQSrx573bT1o1Q==,gss-group16-sha512-eipGX3TCiQSrx573bT1o1Q==,gss-nistp256-sha256-eipGX3TCiQSrx573bT1o1Q==,gss-curve25519-sha256-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q== debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g== debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_COMPLETE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Rekey has happened - updating saved versions debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: ssh_packet_read_poll2: resetting read seqnr 3 debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: get_agent_identities: agent returned 1 keys debug1: Will attempt key: kerberos-u...@domain.fr@di3937su RSA SHA256:LVQ9Rw8lBcFd5DPN0NXfU8Heo2+7sBrEhzkTdNgcDVA agent debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_rsa debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_ecdsa debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_ed25519 debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_ed25519_sk debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_xmss debug1: Will attempt key: /home/domain.fr/kerberos-user/.ssh/id_dsa debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp...@openssh.com,webauthn-sk-ecdsa-sha2-nistp...@openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512> debug1: kex_input_ext_info: publickey-hostbo...@openssh.com=<0> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: publickey debug1: Offering public key: kerberos-u...@domain.fr@di3937su RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX agent debug1: Server accepts key: kerberos-u...@domain.fr@di3937su RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX agent sign_and_send_pubkey: internal error: initial hostkey not recorded Reading https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028282 and https://bugzilla.mindrot.org/show_bug.cgi?id=3406 I workaround this bug by running my command prefixed by 'env KRB5CCNAME="" ssh ...' The bugzilla bug report suggests a fix (I did not try it). Regards, Vincent -- System Information: Debian Release: 11.8 APT prefers oldstable-security APT policy: (990, 'oldstable-security'), (990, 'oldstable'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 'oldoldstable-updates'), (500, 'oldoldstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-0.deb11.13-amd64 (SMP w/1 CPU thread; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssh-server depends on: ii adduser 3.118+deb11u1 ii debconf [debconf-2.0] 1.5.77 ii dpkg 1.20.13 ii libaudit1 1:3.0-2 ii libc6 2.31-13+deb11u7 ii libcom-err2 1.46.2-2 ii libcrypt1 1:4.4.18-4 ii libgssapi-krb5-2 1.18.3-6+deb11u4 ii libkrb5-3 1.18.3-6+deb11u4 ii libpam-modules 1.4.0-9+deb11u1 ii libpam-runtime 1.4.0-9+deb11u1 ii libpam0g 1.4.0-9+deb11u1 ii libselinux1 3.1-3 ii libssl1.1 1.1.1w-0+deb11u1 ii libsystemd0 247.3-7+deb11u4 ii libwrap0 7.6.q-31 ii lsb-base 11.1.0 ii openssh-client 1:8.4p1-5+deb11u3 ii openssh-sftp-server 1:8.4p1-5+deb11u3 ii procps 2:3.3.17-5 ii runit-helper 2.10.3 ii ucf 3.0043 ii zlib1g 1:1.2.11.dfsg-2+deb11u2 Versions of packages openssh-server recommends: ii libpam-systemd [logind] 247.3-7+deb11u4 ii ncurses-term 6.2+20201114-2+deb11u2 ii xauth 1:1.1-1 Versions of packages openssh-server suggests: pn molly-guard <none> pn monkeysphere <none> pn ssh-askpass <none> pn ufw <none> -- debconf information excluded