Package: libpam-ssh-agent-auth
Version: 0.10.3-3+b1
Severity: important
Tags: upstream
Dear Maintainer,
Please help me confirm the following to be a bug in
libpam-ssh-agent-auth. I am not 100% sure if it is. It may as well be a
fault in openssh-client as that runs the SSH-agent. But I can't prove.
* What led up to the situation?
- Bought a new Yubikey 5 (F/W 5.2.3) that supports Eliptic Curve keys.
* What exactly did you do (or not do) that was effective (or
ineffective)?
- On the client machine I created a new GPG key of the EC type, Curve 25519 and
put that on a Yubikey.
- Exported the SSH public key from the GPG key and added that to the
`~/.ssh/authorized_keys` file on the target machine.
- On the target machine I inserted the following in `/etc/pam.d/sudo`:
auth sufficient pam_ssh_agent_auth.so debug file=~/.ssh/authorized_keys
- And created a file `/etc/sudoers.d/00_SSH_AUTH_OK` with these contents:
Defaults env_keep += SSH_AUTH_SOCK
- I logged in using SSH from the source machine. After I verified that the
ssh-agent was forwarded properly (using `ssh-add -l`) I tried to `sudo
ls`.
- After `<CTRL>-<C>` the password prompt of `sudo` and repeating the `sudo ls`
command multiple times it succeeds.
- When using another Yubikey with a RSA key on it, the exact same
configuration works without any failure.
* What was the outcome of this action?
- sudo asked for my password.
- `/var/log/auth.log` contains:
Aug 31 16:29:05 buster sshd[1093]: rexec line 26: Deprecated option
UsePrivilegeSeparation
Aug 31 16:29:05 buster sshd[1093]: Accepted publickey for alex from 172.17.2.83
port 54290 ssh2: ED25519 SHA256:2jvA...
Aug 31 16:29:05 buster sshd[1093]: pam_unix(sshd:session): session opened for
user alex by (uid=0)
Aug 31 16:29:05 buster systemd-logind[419]: New session 9 of user alex.
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: Beginning
pam_ssh_agent_auth for user alex
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: Attempting
authentication: `alex' as `alex' using /home/alex/.ssh/authorized_keys
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: Contacted ssh-agent of
user alex (1000)
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: trying public key file
/home/alex/.ssh/authorized_keys
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: auth_secure_filename:
checking for uid: 1000
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: secure_filename:
checking '/home/alex/.ssh'
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: secure_filename:
checking '/home/alex'
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: secure_filename:
terminating check at '/home/alex'
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: key_read: type mismatch
expected 4 found 1
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: user_key_allowed: check
options: 'ssh-rsa AAAAB3Nza...Some RSA key
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: key_type_from_name:
unknown key type 'AAAAB3Nza...Some RSA key
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: key_read: missing keytype
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: user_key_allowed:
advance: 'AAAAB3Nza...Some RSA key
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: matching key found:
file/command /home/alex/.ssh/authorized_keys, line 2
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: Found matching ED25519
key: 45:3f:...More fingerprint
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: Agent admitted failure
to sign using the key.
Aug 31 16:29:06 buster sudo[1103]: pam_ssh_agent_auth: Failed Authentication:
`alex' as `alex' using /home/alex/.ssh/authorized_keys
- The log looks the same when sudo succeeds (after trying several times),
excpept for the last part:
Aug 31 16:35:27 buster sudo[1136]: pam_ssh_agent_auth: matching key found:
file/command /home/alex/.ssh/authorized_keys, line 2
Aug 31 16:35:27 buster sudo[1136]: pam_ssh_agent_auth: Found matching ED25519
key: 45:3f:...More fingerprint
Aug 31 16:35:27 buster sudo[1136]: pam_ssh_agent_auth: ssh_ed25519_verify:
signature correct
Aug 31 16:35:27 buster sudo[1136]: pam_ssh_agent_auth: Authenticated: `alex' as
`alex' using /home/alex/.ssh/authorized_keys
* What outcome did you expect instead?
- I expected to have my Yubikey flashing and after I touched it get `ls`
executed as `root` without being asked for a password, after the first
time I tried.
- I expected that authentication would work the exact same way as with
RSA keys.
-- System Information:
(The versions are exactly the same on both client and server)
Debian Release: 10.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.7.0-0.bpo.2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libpam-ssh-agent-auth depends on:
ii libc6 2.28-10
ii libpam0g 1.3.1-5
ii libssl1.1 1.1.1d-0+deb10u3
libpam-ssh-agent-auth recommends no packages.
libpam-ssh-agent-auth suggests no packages.
These are the versions of the ssh packages. I can imagine that the bug
is from openssh-client rather than libpam-ssh-agent-auth since it's the
agent that fails to sign. I honestly don't know how to prove that.
ii openssh-client 1:7.9p1-10+deb10u2 amd64 secure shell
(SSH) client, for secure access to remote machines
ii openssh-server 1:7.9p1-10+deb10u2 amd64 secure shell
(SSH) server, for secure access from remote machines
-- no debconf information