Bug#599017: openssh-client: Global "User" setting in .ssh/config fails

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#599017: openssh-client: Global "User" setting in .ssh/config fails
From: Bart Massey <bart@po8.org>
Date: Sun, 03 Oct 2010 12:13:49 -0700
Message-id: <20101003191349.19809.14794.reportbug@localhost.localdomain>
Reply-to: Bart Massey <bart@po8.org>, 599017@bugs.debian.org

Package: openssh-client
Version: 1:5.5p1-5
Severity: normal
Tags: upstream


To save typing, my .ssh/config started with "User = bart",
which was intended to apply globally unless overriden by the
"User" setting for a particularly connection.  Although I
may be mistaken, I think the manual implies that this is
supposed to work.

Sadly, it doesn't; with this configuration, when publickey
authentication fails, rather than fall back to password
authentication the client simply repeatedly sends some bogus
public key until the server dies.  Here's a trace:

    OpenSSH_5.5p1 Debian-5, OpenSSL 0.9.8o 01 Jun 2010
    debug1: Reading configuration data /home/bart/.ssh/config
    debug1: Applying options for test
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to bartfan.po8.org [192.168.1.7] port 22.
    debug1: Connection established.
    debug1: identity file /home/bart/.ssh/id-rsa-test type 1
    debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
    debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096
    debug1: identity file /home/bart/.ssh/id-rsa-test-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-5
    debug1: match: OpenSSH_5.5p1 Debian-5 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-5
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'bartfan.po8.org' is known and matches the RSA host key.
    debug1: Found key in /home/bart/.ssh/known_hosts:59
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password
    debug1: Next authentication method: publickey
    debug1: Offering public key: /home/bart/.ssh/id-rsa-test
    debug1: Authentications that can continue: publickey,password
    debug1: Offering public key: bart@bartfan
    debug1: Authentications that can continue: publickey,password
    debug1: Offering public key: bart@bartfan
    debug1: Authentications that can continue: publickey,password
    debug1: Offering public key: bart@bartfan
    debug1: Authentications that can continue: publickey,password
    debug1: Offering public key: bart@bartfan
    debug1: Authentications that can continue: publickey,password
    debug1: Offering public key: bart@bartfan
    Received disconnect from 192.168.1.7: 2: Too many authentication failures for bart

Moving the "User" option to be private to each connection in
the config file seems to solve the problem.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (950, 'testing'), (650, 'unstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-client depends on:
ii  adduser                 3.112            add and remove users and groups
ii  debconf [debconf-2.0]   1.5.33           Debian configuration management sy
ii  dpkg                    1.15.7.2         Debian package management system
ii  libc6                   2.11.2-2         Embedded GNU C Library: Shared lib
ii  libedit2                2.11-20080614-1  BSD editline and history libraries
ii  libgssapi-krb5-2        1.8.1+dfsg-5     MIT Kerberos runtime libraries - k
ii  libssl0.9.8             0.9.8o-1         SSL shared libraries
ii  passwd                  1:4.1.4.2-1      change and administer password and
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages openssh-client recommends:
ii  openssh-blacklist             0.4.1      list of default blacklisted OpenSS
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Versions of packages openssh-client suggests:
pn  keychain                     <none>      (no description available)
pn  libpam-ssh                   <none>      (no description available)
ii  ssh-askpass                  1:1.2.4.1-9 under X, asks user for a passphras

-- Configuration Files:
/etc/ssh/ssh_config changed:
Host *
ForwardX11 = yes
CheckHostIP = no
StrictHostKeyChecking = no
    SendEnv = LANG LC_*
    HashKnownHosts = no


-- no debconf information

Reply to:

Next by Date: Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
Next by thread: Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
Index(es):
- Date
- Thread