Whitelist not applying
badrow opened this issue · 11 comments
Describe the bug
The whitelist is not applying. I canot understand its behavior... If the whitelist file is blank, authentication is OK...
If i put several ssh keys, authentication is ok too...
Versions
- Client version: OpenSSH_8.7p1, OpenSSL 1.1.1l FIPS 24 Aug 2021
- Server version: v1.10
- Latest server version available: v1.10
To Reproduce
Steps to reproduce the behavior:
- ./ssh-chat --whitelist=users.list
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 52
Authenticated to localhost ([::1]:2022) using "keyboard-interactive".
It looks like "keyboard-interactive" is allowing everyone to connect ? What is it ?
Expected behavior
Filtering by ssh public keys.
I can confirm this happens when the whitelist file is empty (because the allowed key set is empty, these lines).
However, I can't reproduce this with
$ cat user_key.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/Av4uByl+c51sX3vqGz2j+PWaTJgJIEbztVeXJv6D4 ssh-chat-test
$ go run ./cmd/ssh-chat/ -i host_key --whitelist user_key.pub -vv
Listening for connections on [::]:2022
2021-11-09 13:00:46.927 DEBUG Added to whitelist: "SHA256:wfdYWd+OzriJDxO1QgDEqu3BGxpZGewah/A7U8LANeI=" (for 0s)
[sshd] 2021/11/09 13:01:03 [[::1]:47482] Failed to handshake: [ssh: no auth passed yet, public key authentication required]
[sshd] 2021/11/09 13:01:39 [[::1]:47492] Failed to handshake: [ssh: no auth passed yet, not whitelisted, public key authentication required]
and
$ ssh -o 'IdentitiesOnly yes' -p 2022 test@localhost
test@localhost: Permission denied (publickey,keyboard-interactive).
$ ssh -p 2022 test@localhost
test@localhost: Permission denied (publickey,keyboard-interactive).
Can you verify the key is being loaded by running ssh-chat with the -vv option?
Oh wait, I don't think v1.10 includes that PR.
@badrow Do you think you could try to confirm this with a build from master?
If the new version fixes it, I'll cut a new release.
Oh wait, i tested the program with param : --whitelist=myfile and not --whitelist myfile.
I test and feedback soon sorry.
Okay very weird thing, depending on the machine where the server is launched, the result is not the same.
I can see the SSH keys loaded with -vv but when I launch the server on my laptop or raspberry, some users are accepted, and others are not...
I think the key which is used by the server is not accepted when a client is using it. Sorry for bothering may be it's normal behavior.
Are you using the admin flag? It might be bypassing it.
I'm not using admin flag, but I tested to connect to my server with different clients, it looks like all problems occurs when i use ssh client from fedora 35.
All others clients are ok.
When I use the same client key from fedora 35 of from another system, the other system pass, fedora client is refused.
Confirmed. Same key working as client with an old android phone and ubuntu 20.04, not working with fedora 35 ( client is OpenSSH_8.7p1, OpenSSL 1.1.1l FIPS 24 Aug 2021
The error message in server side is :
ssh-chat_1 | [sshd] 2021/11/09 18:22:16 [192.168.0.42:40768] Failed to handshake: [ssh: no auth passed yet, public key authentication required]
Confirmed which? That the bug exists or that it does not?
If it exists, could you please confirm it with one of the more recent unreleased tags? E.g. https://github.com/shazow/ssh-chat/releases/tag/v1.11-rc1
I can only confirm my own test since i don't have the skills to really investigate. (The bug seems to exists with the fedora 35 ssh client)
I will try to compile the v1.11 rc1 and test it.
If you can test with fedora 35 (gnome version) as client may be you could see the problem ?