Bug#766280: openssh-client: Failure to authenticate when PKCS11Provider is set and PKCS11Provider does not have an authorized key
Package: openssh-client
Version: 1:6.7p1-2
Severity: normal
Dear Maintainer,
After upgrading openssh-client from version 6.6p1-8 to 6.7p1-2 authentication
with the RSA key or password fails when a PKCS11Provider is set and the
PKCS11Provider doesn't have an authorized key. When the PKCS11Provider is
commented out and when the PKCS11Provider has an authorized key, authentication
works as expected.
Verbose output of ssh:
winfried@tinie:/etc/ssh$ ssh -v -v -v -4 miepie
OpenSSH_6.7p1 Debian-2, OpenSSL 1.0.1j 15 Oct 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to miepie [192.168.2.1] port 22.
debug1: Connection established.
debug1: manufacturerID <PKCS#11 Kit> cryptokiVersion 2.20 libraryDescription
<PKCS#11 Kit Proxy Module> libraryVersion 1.1
debug1: label <System Trust> manufacturerID <PKCS#11 Kit> model <p11-kit-trust>
serial <1> flags 0x402
C_OpenSession failed: 226
debug1: label <SSH Keys> manufacturerID <Gnome Keyring> model <1.0> serial
<1:SSH:HOME> flags 0x50a
debug1: have 1 keys
debug1: label <Secret Store> manufacturerID <Gnome Keyring> model <1.0> serial
<1:SECRET:MAIN> flags 0x50c
debug1: label <Gnome2 Key Storage> manufacturerID <Gnome Keyring> model <1.0>
serial <1:USER:DEFAULT> flags 0x50c
debug1: label <User Key Storage> manufacturerID <Gnome Keyring> model <1.0>
serial <1:XDG:DEFAULT> flags 0x500
debug1: identity file /home/winfried/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/winfried/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/winfried/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/winfried/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/winfried/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/winfried/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/winfried/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/winfried/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1
Debian-2
debug1: match: OpenSSH_6.7p1 Debian-2 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "miepie" from file
"/home/winfried/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file
/home/winfried/.ssh/known_hosts:52
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com
,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256
,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-
group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-
cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-
sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com
,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-
cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-
sha2-nistp521,ssh-ed25519,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc
,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-
cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc
,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-
cbc@lysator.liu.se
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com
,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-
sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256
,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-
ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-
md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-
sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com
,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-
sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256
,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-
ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-
md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-
sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256
,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com
,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-
sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256
,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com
,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-
sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256
,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup umac-64-etm@openssh.com
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug2: mac_setup: setup umac-64-etm@openssh.com
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA dd:bd:73:73:63:42:e4:67:89:19:46:7f:c5:ee:2c:d8
debug3: load_hostkeys: loading entries for host "miepie" from file
"/home/winfried/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file
/home/winfried/.ssh/known_hosts:52
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "192.168.2.1" from file
"/home/winfried/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file
/home/winfried/.ssh/known_hosts:54
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'miepie' is known and matches the RSA host key.
debug1: Found key in /home/winfried/.ssh/known_hosts:52
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so (0x7fa6583d3510),
debug2: key: /home/winfried/.ssh/id_rsa (0x7fa6583d36a0),
debug2: key: /home/winfried/.ssh/id_dsa ((nil)),
debug2: key: /home/winfried/.ssh/id_ecdsa ((nil)),
debug2: key: /home/winfried/.ssh/id_ed25519 ((nil)), explicit
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-
interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp
7f:12:8a:34:4d:fd:50:6c:95:97:8c:1d:0f:5d:66:b2
debug3: sign_and_send_pubkey: RSA
7f:12:8a:34:4d:fd:50:6c:95:97:8c:1d:0f:5d:66:b2
debug1: C_FindObjects failed (nfound 0 nattr 3): 0
debug1: C_FindObjects failed (nfound 0 nattr 2): 0
cannot find private key
Connection closed by 192.168.2.1
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (1001, 'testing'), (650, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-client depends on:
ii adduser 3.113+nmu3
ii dpkg 1.17.13
ii libc6 2.19-11
ii libedit2 3.1-20140620-2
ii libgssapi-krb5-2 1.12.1+dfsg-10
ii libselinux1 2.3-2
ii libssl1.0.0 1.0.1j-1
ii passwd 1:4.2-2+b1
ii zlib1g 1:1.2.8.dfsg-2
Versions of packages openssh-client recommends:
ii xauth 1:1.0.9-1
Versions of packages openssh-client suggests:
pn keychain <none>
pn libpam-ssh <none>
pn monkeysphere <none>
ii ssh-askpass 1:1.2.4.1-9
-- Configuration Files:
/etc/ssh/ssh_config changed:
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
PKCS11Provider /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
-- no debconf information
Reply to: