Ticket #51 (closed defect: fixed)

Opened 10 years ago

Last modified 7 years ago

Intermittent ssh-dss authentication failures

Reported by: tonyspoken Owned by: bagder
Priority: normal Milestone:
Component: protocol Version: 0.18
Keywords: Cc: tonyspoken, bagder, dfandrich, noahwilliamsson
Blocked By: Blocks:

Description

Hi there.

Just to track down the problem of the libssh2 with public-key authorization that leads sometimes to a failure.

[libssh2] Failure Event: -19 - Invalid signature for supplied public key, or bad username/public key combination

It appears to be mentioned in libcurl but not here: it happens once every 100-150 retries.
I've attached libssh2 logs for both successful and unsuccesful cases.
Hope that someone with time/competence on this pieces of code could give a hand.

Regards,
Antonio

Attachments

logs.zip (27.7 KB) - added by tonyspoken 10 years ago.
Libssh2 logs for both succesful and unsuccesful logins

Download all attachments as: .zip

Change History

Changed 10 years ago by tonyspoken

Libssh2 logs for both succesful and unsuccesful logins

comment:1 Changed 8 years ago by bagder

Too old. If this still happens, file a new bug report and include details such as version number, crypto library and version and operating system. Thanks!

comment:2 Changed 8 years ago by dfandrich

This still happens for me in libssh2 v1.1. The symptom is random failure of the curl test suite with an error 67 authentication failure. I spent some time a while ago trying to track the problem in libssh2 without success.

comment:3 Changed 8 years ago by noahwilliamsson

I've got this problem too, though I'm experiencing the problem through a PHP extension that relies on libssh2.
I'm not able to reproduce the problem at will but it does happen intermittently, around 1 out of 10 times.

The PHP extension is http://pecl.php.net/package/ssh2 and I'm running the latest version of it, though the previous released had the same problem.
This extension is built against libssh2 version 0.18 from Ubuntu 8.04's package repository.

The extension's ssh2_auth_pubkey_file() randomly is where things fail.
Except for doing some dummy input checks it basically calls libssh2 like this:

if (libssh2_userauth_publickey_fromfile_ex(session, username, username_len, pubkey, privkey, passphrase)) {

php_error_docref(NULL TSRMLS_CC, E_WARNING, "Authentication failed for %s using public key", username);
RETURN_FALSE;

}

Nothing is logged on the remote server, a modern OpenSSH release, when the problem occurs.

Could there be some kind of problem with the way the keys are chosen, stored or loaded?
I.e, them not being prime numbers or similar and tripping internal or remote checks?

The OpenSSL version the libraries are built against is built against is OpenSSL 0.9.8g-4ubuntu3.5.
FWIW, I'm on an x86-64 bit platform (Ubuntu 8.04, LTS).

comment:4 Changed 8 years ago by noahwilliamsson

Sorry, the crypto library linked against is libgcrypt version 1.2.4-2ubuntu7 and NOT openssl as I previously stated.

I'm also using an empty passphrase for the pubkey auth.

comment:5 Changed 8 years ago by noahwilliamsson

I can confirm this problem exists with the 1.1 version of libssh2 too.

comment:6 Changed 8 years ago by noahwilliamsson

..and this time, libssh2 version 1.1 is linked against openssl 0.9.8g and not libgcrypt.

comment:7 Changed 7 years ago by stuge

  • Component set to protocol
  • Resolution set to fixed
  • Status changed from assigned to closed
  • Summary changed from (Pseudo)random authentication failures with public key to Intermittent ssh-dss authentication failures
  • Version set to 1.2.3

I believe this was fixed in commit 1aba38cd7d2658146675ce1737e5090f879f3068 on Dec 6 2009, which is included in release 1.2.3. Please reopen if you can reproduce with a recent release.

comment:8 Changed 7 years ago by stuge

  • Version changed from 1.2.3 to 0.18
Note: See TracTickets for help on using tickets.